11241100x80000000000000005426726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE1177FA10245CF19E8F6508BB1C03E,SHA256=D39A189BF440E501CF2453B2DB9E1579E762ED39CB008B83C5CDC04192A55223falsetrue 23542300x80000000000000001535030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:40.641{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534B825C3E2CE8232CA31010BC641EA2,SHA256=129FB1A9E00871F11FCF8DBFAAD503687E27F7C4B3B930721A3027A5966D89D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:41.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1965130D89A9A01C104226D4D3B0E4E,SHA256=53B6DB0424C858038B5F0CBB658E6BC8D2A60E4857687335F9BA27B59E11EADA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C66B1B9E30ACDB0D95D7C5A611769FF0,SHA256=65580EF10B320CC63F7366A82331792D6A7E17FF2ACCC5724EB5E9677C08FE8Afalsetrue 10341000x80000000000000005426753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.831{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.646{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C9ED8C2EDA7A74AB31369E0019B83D,SHA256=45F99CEBD88F4454D004819431742FB025AE5BCD8C8CAD6FE34BDC0BF11C983D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8609B13628494CD6B39BEE3A183FDD0,SHA256=8439347E123043DA006ECA095FA494EB2EB7052C0151216142ADE8E7951A1D1Efalsetrue 11241100x80000000000000005426757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3296D075CF5315F9BE2D20BD0EC1ECDF,SHA256=0218D953F2CE8319DD0A727AE76EA986C4E2C7CC637B9B6048DE47E770A3BC3Afalsetrue 23542300x80000000000000001535043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1C34719120E562D98FCEAB6C40B245,SHA256=AFBD9903A801D35CF1A35EC003FD0653B4B99DFB7559205FCE6023FC13C7B1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0866D71870C73BB3BDFE8D34B385353D,SHA256=D5FE20BB5415650F3D12B155B6DE76E0B40AB19BF8A25AD8D05A816DF76A0449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.648{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27453146F66F43EED3BF915124F90398,SHA256=FD18C0183548BC7A0861743C8F4E5CBCAF777AE7B564DE709B9F50C2E49F56AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E477828A9BC37EA2DCDBE4A5B3A1E3A,SHA256=274BB401503CAD265F39C261604D9786160B0020D1F9A49BB95CAB227B12F33Afalsetrue 354300x80000000000000005426764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:29.779{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63346-false10.0.1.12-8000- 11241100x80000000000000005426763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD1F73CEE42A9151BBAF578C03A5D2E5,SHA256=9B10B5135076E39CDB268CAD58776E57135EE4E09C4D3E104A1C354EB9549A5Afalsetrue 11241100x80000000000000005426761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBF324E3509CC62FA6CA50254F51AF,SHA256=19BCE5413D18B85E89733D34796DE6F34DC71126CE831CB49D1EFC9614A7D235falsetrue 354300x80000000000000001535045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:37.707{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:44.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E284A9AD02283EAC681F1066CDEE76,SHA256=9AD54C54E9F96B81A77C4719C2EBB2A0B038F26FDB7B28E24BA085ADA658D0A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEC3629657FC78EF4E2455071BB9ED04,SHA256=B14CBCD3A84F86480722C809F9DCFDA16DC991DF39073DC0FDEE9C961A01514Bfalsetrue 11241100x80000000000000005426768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0738A3D3CFE4C4FEF5FA7B41D4A531C2,SHA256=76DF09B760E1F2A545147E7B184A5895A13CFC9989CB9CE037DD6562641BBB5Ffalsetrue 11241100x80000000000000005426772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3893763E12740D3ED585013F0DABF9D4,SHA256=3A500129CFC3A684D5A4D0807E266FB2DFB7EA681CC6892B56878E8650F4EF6Efalsetrue 23542300x80000000000000001535046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:45.653{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47E95730FC508EC4D772F9B19179887,SHA256=85EAF8B77D8E95B0C1B32925042A5B7BEB4AE7C90BE59AC124B013DA886D610E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:46.656{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02E6B88C13E2BB74EDC0C3442329B64,SHA256=0D9CB321CF4010CC1062C703D6E47F9E4DCB32E0161308A7D6E536147FDA3197,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:46.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:46.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4514DBCD6AA26E0676C61B8BD7D447,SHA256=40EB4A4BF3D09E3FDC3EC02EAE60D257FB25EF5313578E91B125728B6430DF15falsetrue 23542300x80000000000000001535048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:47.658{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF64CDD58F661D5DC7B7CF81C0CA210E,SHA256=75550DAB116E1886ADA3560DB77215C6078BAA8E93DC119CD159E60005006B38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F420302D4AEDC8BB23170B8BCA9C5E7,SHA256=D0F3FB9DBD99AF2C008DEFEACDA570764345A473792FE419B2741DAF73A67A52falsetrue 11241100x80000000000000005426778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.583{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005426777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.583{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005426776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A0FC833287FCB90FCF55AE9C67CFF0,SHA256=4E60C3CFE9AC365E6B0B2A50D436492DB0AEFA5BDC0AC1D5E9C52770B79851E2falsetrue 23542300x80000000000000001535050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:48.661{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81E1BEFD174826DAD535E86CF38E86E,SHA256=FC0096AB6C347040EDEC3A719607CF1C1EBB6ACD752897F8999E9ADE993C2CBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=379D2268A750B8DFC47B87348E570FC5,SHA256=4D4E5F1E3FA059676DE05E597AA8DA0B695F5423DF2C787609A6FE507128FC41falsetrue 11241100x80000000000000005426784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C700267C85AF309697581D736CD6C4D,SHA256=E2B38756CC955BA52F059824A8BF490178E7E491D9E69A48260B27790807395Dfalsetrue 11241100x80000000000000005426782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0239341874E8FCFD190B62F2A624FD17,SHA256=06EB986C7E73CD2C55C2303F77415114756615352DCDFF2EB05A64FFE5A4C058falsetrue 13241300x80000000000000001535049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:09:48.245{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a4dc-0xb5e96302) 23542300x80000000000000001535053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9B500912EB1370852A69DE08BB6599,SHA256=8C3476A44D7BDBC7EDAACE11A939DD40EF229589A27BF08531D97B8D3AFAFC08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.888{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-291.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 354300x80000000000000005426794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.755{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63348-false10.0.1.12-8000- 354300x80000000000000005426793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.223{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63347-false10.0.1.12-8089- 11241100x80000000000000005426792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=721B76ACC69BCE6BA90A355E7B0D3D4B,SHA256=A95923147CDCED7A22211944235BE3DD8D9C6212AA4FC3C807CDE37825BA243Efalsetrue 11241100x80000000000000005426790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD13AE6A3B5D23E387A9AE7880897998,SHA256=2C14C75B11EA3A9BE3ECFBA0AD9E43D9C23E86C93A9D048FA2F3977B9131FBF0falsetrue 23542300x80000000000000001535052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF250091392C068715E0C347877DC14,SHA256=1DB12DFE763AEFA705A32E4976B37BF798021F661C2AA5350E10BECEA90C0353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1C34719120E562D98FCEAB6C40B245,SHA256=AFBD9903A801D35CF1A35EC003FD0653B4B99DFB7559205FCE6023FC13C7B1EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C505734A583C9A61FED82A3DEBB6CDF,SHA256=FA5E48CD2250F90A17A00CEAE55BB13FC65FC05697D877FC13C9314BD6C14DB2falsetrue 23542300x80000000000000001535055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:50.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8C6E6A92DA6224D16317785CC0757A,SHA256=BDF3015103C593F3AEF4F2DA87FC39C33B5EE852B48E3596A4929817DC1DBE15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:50.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:50.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE519F00BD4C4CC8AD4DC473CF5C45C5,SHA256=19F3CC183FE6B0165280DBC729649B22C01079AA11A7BB2F938F4206527B14EBfalsetrue 354300x80000000000000001535054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.889{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x80000000000000001535057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:51.737{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB1F9B7AFB73E0F0295B6F7AB9B4E18,SHA256=4CD8A1DABE6DE10E124B27E79CFB93D481A2054FA76BD9D67A9E9B109228E9DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3AB3F956E368FA072E437A7F774DD0,SHA256=923407387F767A70F079731720B9592E84898C16092ACD88469539B3B9F26C0Cfalsetrue 354300x80000000000000001535056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.890{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005426801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:52.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:52.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06572C8B5CA6026C990E505E71D99859,SHA256=3CDD426CD5669EC137EAD06DAA1001C75E6FDACCE72E3B5A7DA349984268CEBAfalsetrue 23542300x80000000000000001535058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:52.740{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A548B3122D2833CBDCEBF10402EA5ACF,SHA256=9F336583F962BD03AF73E7536527186C05837EBED489BAB40A27CA8A940D1976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:53.743{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B204BC7DF84D24BDEF3117800130DCA7,SHA256=725097065E6DF4636EEB219940CA7E9E0C4F2F8D741D0A7F61AFD8737FC15F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:54.762{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4F503A9CE57565803E03F7F612A70E,SHA256=ABD9A8648E8B2A1106EE2F636EF3A8AB0B6AA3B0A5F369F9D0A950F9A3DD7A3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9963C27E7F7CFB9B037F771ACF99AD7B,SHA256=976FA9E55F72E28D36D30930690CDF4DDE4F4DE8AE185C84465F495AA56721ECfalsetrue 11241100x80000000000000005426809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6992896746F004BDC795930D02B4913,SHA256=B4612C83B9E92EFE0183F9353115F808392953EE4F5F681C6118E8DAB4D95C33falsetrue 11241100x80000000000000005426807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4726101AD473C021E9966EE7B80685,SHA256=3E887432EECC9A1D0C1BB7106D6D9BF980E51BF20B8455980FCCEC73CCAD811Ffalsetrue 11241100x80000000000000005426805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7121631E04B1DE38C3A1C12838AC4348,SHA256=138574A4F52A86D956C12C39ACB9292D09DD9F97C3BB22CFBF9DF357EEDE6198falsetrue 11241100x80000000000000005426803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2135A9D6BE00033D1C3ACF98C5BEEC,SHA256=1D82BEB29327D49F5F8D0B6C3CB41A2D865C100E242AB12FDDBE4366BEDFE6A7falsetrue 23542300x80000000000000001535063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.765{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E504F2B6E85BF3DAC99EC0E1053DDE,SHA256=18F57812DABDA09C03A249D6A90B59226275E4FD3F650F026B176EDDD7CF1597,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:55.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:55.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3EF768D26818EE3A1CDA86BF5D2981,SHA256=EE0393773A01B904B7C2AC157F8E73EAAB80CE03C4BDD521D915AC98F8497901falsetrue 23542300x80000000000000001535062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC2E9C31DF85861827A1FA65FDCB0C4,SHA256=DEF0801FBA88F5E4C0721A6582ABA864891BAD6E29179F1918235AED6C52208C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF250091392C068715E0C347877DC14,SHA256=1DB12DFE763AEFA705A32E4976B37BF798021F661C2AA5350E10BECEA90C0353,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.801{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63349-false10.0.1.12-8000- 23542300x80000000000000001535065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:56.768{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2981F683D90A6DC76F1B9069EA0E1E5,SHA256=E116428288929B90F1DB5738FE491F383200FF37AA1DF643E3C71B60164BAADC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.317{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.317{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBFABD8EBDE8346101B3558FBBA62CD,SHA256=A02292C101A222C6CFCD738306E99CD643AF7955C7C376C4E6A39E4DB4217E63falsetrue 354300x80000000000000001535064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:48.685{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:57.771{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30865556EECC9EA2CA49D46793B3B3DF,SHA256=6868218E2CDEABF9042ABBFB13B6812D890E2108A323194A93119A98EBCA9C73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685FBB63F00187DC220453CA68210F11,SHA256=67815C0EAF344A901815C67CDD1D6703DFA3625D970B634590AF3A6EBF83BC21falsetrue 11241100x80000000000000005426824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BA0711454E546537065FD22E0CA0792,SHA256=1D7A80B443360B9BA5166A728D3FA10E9CA2C31BEF2B0310A43F298977614437falsetrue 11241100x80000000000000005426822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEE8E10245E33F9F365CA8C6DD4A597E,SHA256=43B6B0FE99FF38D05EA78A7E6A8FC4F0B26E74A655207E0ACE5C7606F0342A64falsetrue 11241100x80000000000000005426820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A755808F40566F38129172951D64AE4C,SHA256=E32819A27E291400F2713A19D62CC7DF594283E88C01576616B5C81E5AEE5766falsetrue 23542300x80000000000000001535067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:58.774{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC8733A6ED07EF3C0C9B845E4ED3D67,SHA256=23562168866E7764D40655FD8F3CBD9DEE55DCB87D72D1068E7A0F742CAED42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:59.777{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC012AE1EE5DEC1BD53999C62A15C671,SHA256=A6D7D6A558794601DCA22ECFCEE718D49151AD0D8E7043BD7B397BF028F4E176,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B8BFCAE254D62C1D898D7FEE1FDBCA9,SHA256=7990A6456AE1DECEF0D3900E0856B9A224CA263F1030CF182A4493C7B5490F5Efalsetrue 11241100x80000000000000005426830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146EF0269012E29A8BC792B262C97F7C,SHA256=E4759E311CBCC0B4D8BFEB5F7C88082C16F84B690240AAB818170111993E610Cfalsetrue 11241100x80000000000000005426828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1641A8E3B68D93C9C4B8604859BC9CA2,SHA256=697718F4C8206F3282FBD919ADDC0C4E53E6F8A9B67E31BFA423640CB6135266falsetrue 11241100x80000000000000005426826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD1BFD9D3450F94DF68CDBC3E332843,SHA256=6F7FCBE21FD261A9253953127A6D70B453C90233E9E66B73FDF50ABCEB9BE0B0falsetrue 23542300x80000000000000001535070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:00.780{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7428B622D169D27CAB1B047AC22404B7,SHA256=A7590F6D575D688F2A8A57D861838E40EDAC820B14C376926DA4DD898AA97C54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:00.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:00.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ABDE37DAE1D729DF90ABDC9DE2E643,SHA256=7C8984704E61D4C8346A53BEDEDF8096709A9658F9D9B46046E98FA9A2755DE9falsetrue 23542300x80000000000000001535069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:00.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC2E9C31DF85861827A1FA65FDCB0C4,SHA256=DEF0801FBA88F5E4C0721A6582ABA864891BAD6E29179F1918235AED6C52208C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.864{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63350-false10.0.1.12-8000- 23542300x80000000000000001535072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:01.783{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660745F051108E56481C5521D562F252,SHA256=53DBB8BA085585E2F66BFCA670607EA7BC896D06CEE50C40F449A7CA512BD624,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:01.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:01.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E834CCE6ACDBB32BA0896C09B54C31B,SHA256=571024EE15DEACEA98FC1AAB0D0726137AC6CB318DF26D88A202B3364610830Ffalsetrue 354300x80000000000000001535071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:53.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:02.785{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE46A0445605CA6FA9A3A5FEB6B496A,SHA256=D8DBB2C94B3BA1809D7B0923DF8A1C17355C4C59A38083AE601AD743A6A247C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1641A8E3B68D93C9C4B8604859BC9CA2,SHA256=697718F4C8206F3282FBD919ADDC0C4E53E6F8A9B67E31BFA423640CB6135266falsetrue 11241100x80000000000000005426839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B117559C10C3F91FB7B8D82AC2FCC88E,SHA256=68862CBDD782622C36DF4983A5DDC56C039F6FBD3CC54B2947596F3BAABF32F5falsetrue 23542300x80000000000000001535074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:03.789{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316BB85D17B99C7592D7DA67A0228348,SHA256=34AD142BEE1400C5E00FC8A6AB053422D66F49968BB83F30A0EE438B06550207,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5145BF483FB462906FC0F63E8EE83830,SHA256=4EB0A201150FCB7366D01512FE34C3B8DC8245EC5E45BFE5BAC8B66C5DE464F3falsetrue 11241100x80000000000000005426843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75113F4838875E38D76A602CD2BFE5D8,SHA256=2764A550749EA9E89E8C797E5175D57C18F7664393FC0700C01FD121985575EDfalsetrue 23542300x80000000000000001535075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:04.792{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9112B382E2AF2A3A00BF652968FE6F0,SHA256=5D04779B9EDA71C0DE17A57F6CC51A5E5D13DCE38AA9CA924EB65E3A2EFD1231,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A20B935EABA0CB9600526D35879A3A0,SHA256=A437F214196B974A924F51B0136E45251046FECE368AAF9AA2036EA1CBEF43DAfalsetrue 11241100x80000000000000005426849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7EB691B40FBEA66CFB3724EE5BAD25,SHA256=5D3303D266831F0A05D3DAECF344BF92E880D58E94728CF8E01DB77C8C1289B7falsetrue 11241100x80000000000000005426847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=660106451C709D6EE383278B41951BC3,SHA256=C7EF41846454FBEAF7A1627D7FE6DEFC2076929425C7E94DD631BBF0F84C2903falsetrue 23542300x80000000000000001535079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.795{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF0961EB145D49C3B08C4D90BFF8258,SHA256=90933E409587E7F4B39DC45040CB780EE71E2CBCD9719AEE60244448940A2BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005426859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005426856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CE0EB2DB5DF3BDE58D173E9B460200,SHA256=ECC62AAD7C9647BDCFD1AE03F485A128365E5ACCDE2EE01B8BB8FF2BA55E4D7Ffalsetrue 23542300x80000000000000001535078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.757{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=51BDB4898F3506A3533FB32B0F89FEE0,SHA256=7FCAFD25AC98F05DB11648671A0EA211A4087FF2DD75D007EF70F8A722F3D572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3222A57B26887F99D2CA807F4C567EF,SHA256=62051FB0DB8B0994225215E5FF8BB17DF16E9400F7D1FA74C97AE0CE3DCF39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D6247FCE5077A7FBD27727B1375CB3,SHA256=4C84CDE2BB50A0376503EFC374BC259301EEA3E3B78DC4264A06280A7794A4B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.738{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63351-false10.0.1.12-8000- 11241100x80000000000000005426853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C15A958D6A2A6E1D399257A068CD01A,SHA256=005B7CBC567D7D5247BCDF57BB87064B83AF68882246CFC195E8187075DD95DCfalsetrue 23542300x80000000000000001535081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:06.797{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53B0B6EC89C930196686B1CCBE4E458,SHA256=F475648763A91617085EDA28EFE22D348DEA0D01D645EB284EECE9A51093D5A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:06.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:06.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC65AEEB5F3B4922BDAB6B1FF04F4850,SHA256=5497A04253FFC21F07743B51A424088008CCD6D094B96F45C3B1ADD64C7F824Afalsetrue 354300x80000000000000001535080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:58.813{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.799{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215330F575B8B5F115259B6E7A42E547,SHA256=2214A3F268CC5A1C5205E032E25F3A4C035FAE05857099542F60EE9AA7A6DEDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A1244E680BBD405A393D8DE644C350,SHA256=CB1420E5E97C034903D3845A8E33485A260FD448C01ED54D6F3221ACA16F42FCfalsetrue 11241100x80000000000000005426863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78343E0A6610BDADF251C54A3AD7739,SHA256=6AA2B6088C5456AA830FCF6300755A1888B0746E75F3C0A57CC4FE3179F2F5E2falsetrue 10341000x80000000000000001535084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001535083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a4b1c10.TMPMD5=D01734B513C185F70D31918B721F4959,SHA256=42EEB2A2D24121428DB1C3CED6B22CD4D28DD42208C27788AE4A4B1C5C2C9541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005426874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.996{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7177MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005426873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.995{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71772021-09-08 18:10:08.995 11241100x80000000000000005426872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.994{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71782021-09-08 18:10:08.994 11241100x80000000000000005426871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B53422C70AA3965DF7F0B7F5309E47A,SHA256=285244C15462FD7456223F9F5E0C375B1C61CE3CA173E697948904C6952F159Ffalsetrue 11241100x80000000000000005426869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2D3D781AFF8B88E1DCB84900D6A9492,SHA256=CBE64336F372B2A687B56A600462780FBAA049989AB46ADE65DBD75AE0DE662Afalsetrue 11241100x80000000000000005426867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE16A63CDF09EFEC6A12DC79CD82F88,SHA256=7078103527584DECEA83F9B1648E82BE587BA6939781B81B4D146574C40FA220falsetrue 23542300x80000000000000001535086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:08.802{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBDBF62018FFB3700F08F5260EA86C7,SHA256=0320E4244455F95DB496E20889331B025C6C2B51B1934793B9D2DF5B703A5581,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2428208ABF7E534EE6B52D25C6BF923B,SHA256=2642FA282D0A8982566E5C22267CE2A174CC0F2189898AE6DD73DDF103D6C4CDfalsetrue 23542300x80000000000000001535087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:09.805{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9FAB535966E6533C1979E18F342E6E,SHA256=201AC440A70E60590A74335E25717EFF0F79201E0BE71FA9DB95E499AF8314B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DC3DEB60CC257F805879BE6CB44265E,SHA256=631955DF23F6BD6B91C11EB1781336BEAB596A41FE7A9268C1CAE85C45020CC7falsetrue 23542300x80000000000000001535089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:10.807{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72B601A4E615CC4B04E8C3F0F85E3CD,SHA256=3DFCBB210956AC48B1830BA07963D9E2E0DCBB583297674848888CDE64927084,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD5AD0EE466C248645272CA443841382,SHA256=3F56F8985E58566B709FB1311691EF0496F4FA4C240D758E52C3466E852C62F9falsetrue 12241200x80000000000000005426881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:10.175{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005426880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:10.175{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000005426879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.006{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7178MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001535088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:10.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3222A57B26887F99D2CA807F4C567EF,SHA256=62051FB0DB8B0994225215E5FF8BB17DF16E9400F7D1FA74C97AE0CE3DCF39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:11.811{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6477949524165B73A8202CB322248053,SHA256=AF54EB4B6FCC9DC0EAA59B558F032B3149DDA43EAD227802B82E44263336B69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.831{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63353-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005426887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.831{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63353-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005426886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.880{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63352-false10.0.1.12-8000- 11241100x80000000000000005426885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:11.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:11.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0543EF6FFECE06AF59875F9AAB927A11,SHA256=FD5053D166EDF8B6BDE8063331A9CBB8E4E62A80A4B3E499F789B298630436E7falsetrue 354300x80000000000000001535090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:03.911{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:12.960{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:12.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00414113F7568CC12DC13FBF7D9C3823,SHA256=86D96C097BF8D34738FC54A78936997D2A62FECDE20A0E0E827DC15B5E29D2D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:12.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:12.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416DC9284328C10AADFF5A91FA9C5E0D,SHA256=949425AADA899F37F0C97B6184334F783CD7701842B3D2166B77A074BBF128B7falsetrue 23542300x80000000000000001535094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:13.863{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033D74EB9B5F092AF1CE6FFB3A653993,SHA256=AC9CE49B3A5575A711D4A5F5F3380572B33D858A827C0C660499EB2D52128D20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E316C94F475ED2EC70174E9DED7E5B2,SHA256=D534F15C0A99260EACDE20D10917B9B0A5AC1E89B2827154FAC2C4FBF7369DE2falsetrue 11241100x80000000000000005426892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AD20CFE7604185ECD0C86263809D1F,SHA256=DD0F7667F7D809AC50E8C336160812EF850E1BCB9F30BD2067F34A00431B07D5falsetrue 23542300x80000000000000001535097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.866{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B9E0996A98462B637BFEEC4F5E0CD7,SHA256=CE514137C2A7AE419E83AC7BDFBDB38BD5C71EEE40976B652C5F1BD88AAB70C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5CF548F6F00DD6DCDB6DE58973A07C24,SHA256=19844363C18FA7B0F18ED07A48405061E38F6CFCF14348FC080143991BD9700Dfalsetrue 11241100x80000000000000005426898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC82B27C9AE3B6D7076BAE24A123273,SHA256=8FFCC86894B508FA8072243F36EB39FD29E48205C098CFD7EE828C8563CA4A81falsetrue 354300x80000000000000001535096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.621{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.132{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB16CA6251408CE304272E6672BC9D79,SHA256=8E5E3BBFF0595B0EA329516B953BE92A6FC296041E1FE2FB494A7D1934662B94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2353D5B70E41F4989FCD591D463786F,SHA256=D2AF1329496D2F4CBB1A724126F7B95023FFE122392E1E3E4291C76AD184A08Afalsetrue 23542300x80000000000000001535098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:15.868{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AB8169A0764D998566FFC764B39F90,SHA256=BF7CA969916F37EFE2D467FE06B07BE672CDF5834F9EA95138546DAD767C177E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:15.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:15.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D302ED8266651255C6A2A03DD2E418,SHA256=14C096777FB3B821923722CDE153E1AA049A4C40A085803EE0A4874CF2C9D1D4falsetrue 23542300x80000000000000001535101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:16.870{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B705C48583A9E33987AF6179B64F384,SHA256=E4D193FD47528AADB21293B64650386F18EFE678CD1083BBA6F8EADA1CF2391D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.912{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63354-false10.0.1.12-8000- 11241100x80000000000000005426908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F534FB92F635C5480374A0A1596B51,SHA256=EE583BBFE724741CD5A4D190CC52BE2A888E1E47DC27374C2559A8890169C134falsetrue 354300x80000000000000001535100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:09.726{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:16.068{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=725B0C50F7B1883D36BA62547C4A3E95,SHA256=81D47305ED2AD1FD30D9D3D5B16FE6CA5C67C42F898E4594967CD7105A94BA10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0CF9B0B844F9D12A8AE98234D43F10C,SHA256=CF83FE7FBB9EBEB80E2A37F0235811916308B5324A2024119A311F90F2232F0Dfalsetrue 11241100x80000000000000005426904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94BE5F82CDA449491BE429070DB7A589,SHA256=01940F195F659E046C3D9E8D804675B27F23914FCFEBC7EB7659B7B4E4DB88F4falsetrue 23542300x80000000000000001535119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.872{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B898CBF929377E03C1778B86BB7D7C4,SHA256=F6379B89909C14798282444E809DD033A8F160932E889ACD2F687F9745B9DBB5,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005426923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.694{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005426922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.694{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005426921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000005426920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000005426919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000005426918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-08 18:10:17.678 12241200x80000000000000005426917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000005426916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000005426915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000005426914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000005426913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-08 18:10:17.678 12241200x80000000000000005426912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005426911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7035318DA72ECCD39564DAB925836662,SHA256=500CC8EE69308B0DBB129FC8ECF15AF045000D133EC09C8E8A56AC180956AFB2falsetrue 10341000x80000000000000001535118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.757{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001535110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.224{AEE49BD1-FC89-6138-24CE-00000000F101}47525840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.087{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.874{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA48961D5014D9B15810658DC4E8D79D,SHA256=451B90C9FC431A24B46B6B215ACE1966EBFA6DB203ECA4540A62885E06331611,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D36540082CF519D1B1CE127880FD516,SHA256=69237D2B6E32D3F88D72C5AACE5BD5D8943BC03FD4049B111D583699192A1928falsetrue 354300x80000000000000005426932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.347{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63356-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.347{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63356-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.335{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63355-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005426929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.335{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63355-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x80000000000000005426928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0CF9B0B844F9D12A8AE98234D43F10C,SHA256=CF83FE7FBB9EBEB80E2A37F0235811916308B5324A2024119A311F90F2232F0Dfalsetrue 12241200x80000000000000005426926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:18.709{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005426925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E28D759B5DBE1E3446B7717B2D20122,SHA256=9D549DA1D05581705F9E01C86205A9DB5844B9E8CA4CAD3F387FD2B82E4AE5B3falsetrue 10341000x80000000000000001535128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.312{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.093{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D73BF00492ABF610D39AE80549382751,SHA256=D4E8F55786F468386499EF6B5224435A73D5F759003E5E633154879C2FA4ECF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.876{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0162FAADBBFE6D3073DF691D3411A24,SHA256=34E116B774F0C1172D5D9755C618BBD60325F5CD1B96C9011238B0623FEB1577,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD4F46AB11DFA5FE4A2497644566CD08,SHA256=356989FBE86D9F7B8B91659DEB285C73E3AA0841AEB0FADE5326318FA30A2C37falsetrue 11241100x80000000000000005426942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58D95923CA34FC1CC593093A957E3470,SHA256=FF827BFC09DAD7421BD94B0DA92322A5048CE84028B4EF9B27EEC79681581BBAfalsetrue 11241100x80000000000000005426940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104762EC0D7C1BE8BC99981C86486150,SHA256=37D45C1118305E10630EA5043A7DF79A9D7504BB257B33AB8B248D74B998D9BCfalsetrue 23542300x80000000000000001535130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.312{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4673ECA7718C7E14E7F96EC19141DC6,SHA256=559BE33F5C3EC7922966AB08826E8FD2CFDA60A5B50B8F8B1CEACAD1D0D40AE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=760A4DB77E220C489E57932436526C36,SHA256=9ABE930747857E456112348105C6A16DDAAF932FEA61227EF000EC546900D137falsetrue 354300x80000000000000005426936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.352{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63357-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.352{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63357-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 23542300x80000000000000001535132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:20.898{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C5AC531D118ED7DA9B7C1B91BF63A4,SHA256=A9EEC6D80DC6905359BB865D65D499C8A6B7E651E6CE85A6362C019F2D225C61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:20.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:20.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B212C473EE336425BD0E2D66FB1FDBB0,SHA256=4DDDA58338E706BCCB6B49E21C534BA36855A6213A3DDD73C7D9A82FF0986F76falsetrue 23542300x80000000000000001535135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:21.919{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D312AC3DE7DB4353D9634455F1E132A,SHA256=4F24E29CF352B96CBF1618DDD355C5C883D545BD94E65FEBD6C4B72FDBBE66F5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005427057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.928{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.929{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001535134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.855{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:21.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7DB0E7BFE26756D4F39486D19D0D26C,SHA256=05A1F6B570946B750292FDFC576B13B657B4F1EF93E619D8F882D15A90FF50BB,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005426999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005426998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005426997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005426996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005426995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005426994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005426993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005426992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005426991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005426990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005426989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005426988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005426987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005426986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005426985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005426984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005426983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005426982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005426981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005426980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005426979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005426978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005426977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005426976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005426975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005426974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005426973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005426972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005426971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005426970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005426969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005426968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005426967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005426966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005426965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005426964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005426963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005426962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005426961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005426960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005426959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005426958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005426957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005426956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005426955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005426954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005426953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.241{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005426952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005426950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005426948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.922{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A43822E36B3AAFCA4E156284A3F60,SHA256=A48F62D46E5D4035126EB02BA8A99B458A8B4BB3095E91A2BB32265F2776763E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005427125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC1B70EC23B6A46A70B695A24758244,SHA256=8669EAF2D28D29F11718C223141340F948B6650E6A0B5D00DC30C55D9A1777A4falsetrue 534500x80000000000000005427123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}77406508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.647{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.647{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005427081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005427075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.616{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16889D63AEA73D3391B3B36345CF38EF,SHA256=D75F25AC6D8C15F7BA745D12866500B3386EA4FAD149F75FB8768F75F0E2D356falsetrue 11241100x80000000000000005427064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE1B2C9E78C616DBEE343E4C63E501D,SHA256=E2F385E8A318141EF0C525642C3B10179D7CD15FB0B64ECEFDC612E048D47FE5falsetrue 534500x80000000000000005427062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}66647240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:23.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F918219E124E621261A1D87735B6E5,SHA256=65F6C44DAC089FCCCA73D0A4590793F57E50F0E18CC631096701D51BBD7DA96F,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005427192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C96EB1A30AE1232902CC32F43C3B921C,SHA256=9B6CB3ADF6EA98F9F6309AEA9CC8F1FFF2FE91A46DEA0786219B8E3033B65358falsetrue 534500x80000000000000005427184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}73605144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.334{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.303{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.304{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000005427128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.756{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63358-false10.0.1.12-8000- 11241100x80000000000000005427127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E328360DD62B63AAF41AE2A2BB8981,SHA256=5BAE8B9C469669017CA3BA973455E2DA4C6BDB2D5E41ACC5B106DEF98FC98A56falsetrue 23542300x80000000000000001535141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:24.928{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FE5CC98AF7005EC6D5AD94F5007071,SHA256=A2B2F03312504DDA22503971F1228D18B01C49EE40362DD67C81377845119D8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565F309B6CA43445589E4A11F7896759,SHA256=3249FD8F461B9C84892F5F781B088B07540EF7084615A0CBEABF94B7B14CF014falsetrue 11241100x80000000000000005427322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5B87BE50C6A65B448B4B5815BA1B548,SHA256=82AD4EA88826BF8AF3E8165356144B6ACBDCBE29CA92311799E88156AAF60583falsetrue 534500x80000000000000005427320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.709{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005427279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005427273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.679{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000005427264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005427263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005427262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005427261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005427260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005427259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005427258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005427257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005427256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005427255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005427254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005427253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005427252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005427251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000005427250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF905ECCBE33ED5C033A43EEF701CE2A,SHA256=75CBF179AB69A662C1772AC2FDC99BF9DB845CA9E772451E55AD0B00CCB0FEFCfalsetrue 11241100x80000000000000005427248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3FDC2D615F365BF370F31AE9CB5DA3,SHA256=0868C7B4BB63481F1748E9C87561984D0FC7325E6FC5B97E8640C29C9890259Bfalsetrue 11241100x80000000000000005427246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E35193D799ACB5478FAAC4594CFCFC3,SHA256=B97819A5C41A85BDCCCAAC74772D31ACDDBCF4F83044CEACA6C8BBD36662FB78falsetrue 11241100x80000000000000005427244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AA9F614A965E404ADCA3D366D5707C,SHA256=7CFB073BE45F7B6F451F9A6F91FEA7300ACCA04CCA5706AF02307D6B0059D845falsetrue 534500x80000000000000005427242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005427241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}38805700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005427195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.991{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:25.930{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ADB1203429B9C1F658E43CB2A33875,SHA256=B33E68FD7632F3F8A313DADD443CDC90146D0B742988B599850C1198E7716761,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.272{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005427364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005427337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.242{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641ADB23F024A98E69501F79EA702ADB,SHA256=4EF77E24688B1B264EA658FB9C754BAD6837B649D04346336BE463277890FF92falsetrue 23542300x80000000000000001535142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:25.531{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7168MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FE9159EE426801D2B71A546356C4A38,SHA256=C606D6727BE537E7EA2313148B5AD1DC31D77815FE15BECE149FE98125C51AB7falsetrue 23542300x80000000000000001535147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.933{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E1D128E08AC41BC133D4AA12FEAC4,SHA256=C37CF886FC11F61B43DCF558DF97ABF9F8A374D4FC956299086EB079393150FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929F3662A2C4B271E578DC15C150D431,SHA256=76AB5A60D406A5D37810E7568C908D647348AB728111480F532A130B7916F8DBfalsetrue 11241100x80000000000000005427386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E82E7EFAE6580D95684BB2413C41397,SHA256=BAAE7A7E9400259A69881FC4FD87AB30D0B53E511B9586D4E24EB5F5D6BD3A38falsetrue 23542300x80000000000000001535146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.532{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE875F8A42445A9767A285DDE987C581,SHA256=3ADAC0BACB4A31D0E3AD418399ED2BF599EAD3B3773C01F84FBDD493D6128998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A8FB37AD7AC103A479186633023E638,SHA256=0530421890C1463C35DC0165BBC9BF655110C2EC491F98A4D749C0A9CBA5EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:27.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB6F3DD70AEA195DDE8871F819E5D3F,SHA256=46B77F9730428C7D6C081AF6E2B3C66AF178EC6934BF1FCBC747B46210644F32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD4F64538FAE33F83E98F87B05E29BE,SHA256=415B50BF247BC472028D0E073455446BE39AAA33FD345A1A1C9BC90E849BC98Efalsetrue 11241100x80000000000000005427390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56B8888072C3CDE2B2B4C2DE417D919,SHA256=D8A7A612C6C1BCAA3CDA977748EEA1D83635C70357CA8F0E08C9324E2B8284A3falsetrue 354300x80000000000000001535148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.888{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005427394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:28.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:28.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516A32E8FE55EADE9BDE56EF645FC5B8,SHA256=3EEF62E5D6F08F2578B20534E4A690612C2E1DD02DAF82C305BFCC977AE9C2EDfalsetrue 23542300x80000000000000001535150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:28.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409CE53A67235FAABA7D64739F40AB21,SHA256=E560F52C5AF12E424DC8846E67A523242DE5AD883E80A1593A6E8B80BA131E21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E09F1021879B01B1DCFFC0263CD8D7F1,SHA256=54BE08138B967ED135DE6DB3EF698EFC1FE392A7C69344ABB488DE6393C73F0Efalsetrue 354300x80000000000000005427401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.794{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63359-false10.0.1.12-8000- 11241100x80000000000000005427400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD8F41F497F12D968EDBDCE4E3901FA,SHA256=A666E52F24A8817E68E26CD5D07B032677F58D2679645DE72F37193070746BBEfalsetrue 11241100x80000000000000005427398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4139D0FB58D7B25890501A77CE8F6AAA,SHA256=E7704C7DCA37026AF08ACD39DF7D66D0069A16533E88CB6378321F6A877436C1falsetrue 11241100x80000000000000005427396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=564CF03E9132AEE37E3B448B264F6520,SHA256=9E68A92A2DF64C07818539A44A5D412BF5070651AE8B913E28C45C665F2FCAC1falsetrue 23542300x80000000000000001535151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:29.973{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F0F0CBB9869C8BD6F784B158A4FCD0,SHA256=A2424938B51B7D2B793DF096ECCB82036B1BA7F019B1A70503223C9E769E617F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CCA234B2D8276D273E09609D5C76DF,SHA256=C7FEF67DBF659DAC1516565A04637E3C25196DB60FDF383B3C48B9929063296Ffalsetrue 11241100x80000000000000005427405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.233{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005427404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.233{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=303D0E05D1333C723E7E0B48D8D7F0D2,SHA256=275EB5B98A35DC6870D260BF50AC2FC4F24109AC1ECBD07312A4D74ED25E3C73falsetrue 11241100x80000000000000005427409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:31.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:31.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7A557722C8192FDF6BC0C97FEB12A3,SHA256=B1A34F356621808BBDA32D0A565F88F8716B36FB18AE520A8E034B657D764AC6falsetrue 23542300x80000000000000001535152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:31.007{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3065D378C0DC757CCB4030BB4F91E7C,SHA256=59DCD2FA9F503C5CA577EE1407263EC6BD34311BF4BF6D9471D54CBFEE813D17,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005427412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:32.983{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 11241100x80000000000000005427411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:32.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:32.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB541D21A1E276D56039CB1C99A52CD0,SHA256=925920D71387079AF7278EA24363EE134772D94A7F775AFB15B01EB850672486falsetrue 354300x80000000000000001535165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:25.837{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001535164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.580{AEE49BD1-FC98-6138-27CE-00000000F101}5888772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.449{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.348{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0729602266DBD984E6CA02704D6E736B,SHA256=0117A439116917017FC8E124B54604A1EE1DB57962B8EA0BDE28B65DCD76E682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.348{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE875F8A42445A9767A285DDE987C581,SHA256=3ADAC0BACB4A31D0E3AD418399ED2BF599EAD3B3773C01F84FBDD493D6128998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.010{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA4EBBFB487E44C2C6EE21645E6D9DD,SHA256=022EE8FCEB4ABC2BF1B97546A8F7C9D00A9CF80C660B698916A949A7BE2FBABC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB54B1F2BB9FC7D85668BEE86676DE0,SHA256=D82BCC1E11D76D7D6088C631993157915D4EAD4590FD1A678B146B4F792FCDEEfalsetrue 10341000x80000000000000001535185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.767{AEE49BD1-FC99-6138-29CE-00000000F101}34484632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.630{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.451{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0729602266DBD984E6CA02704D6E736B,SHA256=0117A439116917017FC8E124B54604A1EE1DB57962B8EA0BDE28B65DCD76E682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.181{AEE49BD1-FC99-6138-28CE-00000000F101}54241176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.051{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.013{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336B335CCCBCF832A8CE618A9FC02F6D,SHA256=8E5DC0DC87D35320E6F364F19156646A738C5A54FC10EEB5A98B5209C1A17D34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A475A7B19C0C50105827B91E2A3C4BB,SHA256=C256758DE1F368565CBEDC461B72E996E67D6428C320C08BEADA906122AE3091falsetrue 11241100x80000000000000005427414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB994B88D0B7DE9BBCAD7D8FC0D316E,SHA256=40FE6E95A8B4893B06AAC6473795E3402231A091973B22438F95CEB294BDFA60falsetrue 354300x80000000000000005427429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.841{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63360-false10.0.1.12-8000- 11241100x80000000000000005427428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE2519344C890AD9DB871F536542916,SHA256=D059D8CA2C2449C4C8B9256326FDD3A5A8F8570037C993CC58F0150EAEEA76FBfalsetrue 23542300x80000000000000001535187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:34.636{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A6BE6C579AC99A7B060FDD1EFEBA6D,SHA256=7642245E8C368D2C27F8A2050BDE5A5E9219A39024AA8D3661D5EFE331779A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:34.037{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2C9163D613DCADC48F4E52477653BF,SHA256=792727714E99B1146E5324DCA001CBFD751408FD083B4D7F074911575EE593C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C4C4047535929EC2519237DCA252F3F9,SHA256=061C1D7AA1CF8E79DB27B0CF39F10CF3A92C88B3057FEFA844F313CB1811D1F8falsetrue 11241100x80000000000000005427424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=119090E05446C05BA92291C754FD8D04,SHA256=D678B140257E17F7C05C8244FDE2BB575F64B6ED1F85B94C14A88077719AC06Cfalsetrue 11241100x80000000000000005427422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=039762CA0F58B81600DE4ED649B80AC5,SHA256=307DA07277C5BFEAFE3C0E66ED264F28FD0FD76FC928CA28F95529255286C664falsetrue 11241100x80000000000000005427420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1E0F6CBA106F452B17539E7F9E76884,SHA256=A7E948DCB91E3D52CB88DF57917F2ECD9B6D4DA967CD631C0A6C5180E06DAB00falsetrue 11241100x80000000000000005427431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:35.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:35.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79499B8CEA158D663E3EDFA5E68D0C7C,SHA256=211BCF0F660B62AC3F6CEE5CE98018F293D6BB78E71B8AA2481A31DE68C28367falsetrue 23542300x80000000000000001535188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:35.055{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1126948AA8E962B1C620B22BD0A62AA,SHA256=DBE33C38909E76861D90A51F88DEF97C83DA7C4E37A3BB8C6F8C6BE3169D58A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:36.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:36.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF63A9AFBFDE6354237F8D39484567E9,SHA256=6E3007F2C6C1BD6D640D0EF9C1590C61751536B389D320FB6E8C082F912B6435falsetrue 23542300x80000000000000001535189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:36.058{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8FAAB4D239650872185A7268197597,SHA256=6B113C877CF0FA6A6561A46251106C49E0FEC21B06C81BA154D4333B027C94AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:37.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:37.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3993EB658C7DD912B489EA4E7E513A97,SHA256=EB25AD9CBA2F2F0F5DCB9F80AD67117EC8A40EBC6595D068A88A9CF4994A3BDEfalsetrue 23542300x80000000000000001535190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:37.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87C1D1DE49B4378333CE359DC70B353,SHA256=DDF6774A72B34D9553E6265340A392CF79F0457C4C45DDBE57A89F6FC6C7E4C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:38.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:38.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFF17AB52101CA3307A49CED8BE6FD2,SHA256=E10B6604AFB23D6DBED26C19120153E21DD8EB9360F9FA71EB89395CAE5B7596falsetrue 354300x80000000000000001535193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:31.753{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60607-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:38.111{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C457BB9E1D78644EADEC1198264421FE,SHA256=2637B056D0B9285385206F74B75F2BE4CC12863FC0693C28B7E5CA7EF48A038B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:38.080{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B51ED409790DD2B78C46A7592AA7A3,SHA256=B5FA1C80D0A610A4F0B0B03CF3BCD18E5E6075BE4CF9BDA7D1845C6CB65B8B97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.731{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63361-false10.0.1.12-8000- 11241100x80000000000000005427445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4923B244FF2858D7597E5731A57B3EA2,SHA256=4CE90FF74C26D748E87997D2E1074B89E4576037D45BECD9875AEB5DFC6A6833falsetrue 11241100x80000000000000005427443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5115FD5C8DAA19C023CB12DC4D61E0F4,SHA256=9F8B63FA8111CB97BF1474689AE0BAEC09AEA8FFDCF521D1CF75B184C3BE04CFfalsetrue 11241100x80000000000000005427441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3FD2823381D07AACAD356F51CDBCFA7,SHA256=809EDEE08EA868F28553EB47065B2D8743BF6E9644C9C63C5505582F8D733E75falsetrue 11241100x80000000000000005427439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A475A7B19C0C50105827B91E2A3C4BB,SHA256=C256758DE1F368565CBEDC461B72E996E67D6428C320C08BEADA906122AE3091falsetrue 23542300x80000000000000001535194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:39.083{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761C36B92670889916D2D176F07DF2B6,SHA256=53E058F03AAA2C6C78A529807C31AECFEDFB3DEAB4D0C10419137E9DE499E5F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFC91412DD1C3C88817C1F7D5DF32C39,SHA256=CBD8FA1CCE156E40DEEEBCC5B4A978EFB572952010211AC62102B30DADB7FCA1falsetrue 11241100x80000000000000005427448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42106CC2105875A3F704A3404BAA2479,SHA256=91FDD24C7FF1927A94BCC66274716B71EC59E0ED724BE425A2FF54EDA5E28441falsetrue 23542300x80000000000000001535195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:40.086{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D7A4871E24E364C817E7AF400841A4,SHA256=E61713F98DC3952EFDC6C51E0ED3BB102DA382E62651C7B95639EBF669666770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:41.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA03EB7279E361CD0AD9E457E5C1CD0,SHA256=96B7CFAE1F4B6E188FD8D5CBB9663268EB68A2018131C47E9841524DFCB6E4B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:41.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:41.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADB38444DE51845D2F0B97B1D29C1F4,SHA256=F8866F412140AC7921E345506ACEEAB2435687B4C7A937B55C9521CCC4388FBFfalsetrue 10341000x80000000000000001535205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.826{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.092{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8B47E500AFA1433FF8A1FB692F958C,SHA256=B5FFCCE1B8777D0921D6422AA42AA0C9D708A2735B9E2F504D838282A61512E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3FD2823381D07AACAD356F51CDBCFA7,SHA256=809EDEE08EA868F28553EB47065B2D8743BF6E9644C9C63C5505582F8D733E75falsetrue 11241100x80000000000000005427454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF32707E23DE6160E26AEE4039B1D9A,SHA256=4DC0C7373E8473BC85D10F521B65D249E9E18D5752436A0A41B8B6C3955E1136falsetrue 11241100x80000000000000005427458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:43.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:43.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F31D84422412DCA706AB06FF30B2CC,SHA256=2F554D0E625F0D83A30BF9F9D4F57768AF75F93BE02B679E6A184979D94DC1FBfalsetrue 23542300x80000000000000001535208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:43.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F622F9C9AA817DAF82BDAEEFF8BF019,SHA256=55EE91BCC4659C4831DD9743A644C39C5249605B21344485E001C3CA5D46DAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:43.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E989A234B7696FBDFA67716421AF36,SHA256=CF19E1E9E50A83EF61AA61847EA1A1A0C9179272C7709C1A160F20F1B3DED5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:43.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191EB15F652BA24EF3B37D4971FCFE4,SHA256=F5749F5C0F2834AEDFD9F15611A92276314B762AD552F9B0F87C28522838C833,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8B618B940C6D9ECE8E55F9FE0C3619E,SHA256=2B3DDADF10F4D35068F7D38633147ECC2750D529DBFE4522978E4CE530DF19C3falsetrue 11241100x80000000000000005427462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9D2CE7DCE3931416E2ADF9A14F2620C8,SHA256=D0EA9F3C2CB1949C0DF86B46FECD0E3CE20FB894AE53E509710120450B38021Ffalsetrue 11241100x80000000000000005427460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFB1898C0B2F91D9881B2ECBC081BC9,SHA256=E7FA22967888079F95A8066A8EF271661CE6A46B869FEFFDFB1D8DFD948D0D05falsetrue 354300x80000000000000001535210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:37.716{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60608-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:44.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45347BDD3AFC3B7BD3A49644AD98456,SHA256=3ACE30D6C3D49B3307B0F92F501336EF1D5107D72F49238950EC9056A2381C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:31.716{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63362-false10.0.1.12-8000- 11241100x80000000000000005427470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B49EC3DB8F10CD9D806E9BF0B2C975,SHA256=BD071D186C2D431EAC23D5B4CFA322A451DD858B5BEE685E29701A37FE05ADAFfalsetrue 23542300x80000000000000001535211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:45.169{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CD73D050DD8429B8C981A99EBC15F4,SHA256=303E5934380E9F0A19C9A327E0D5509B4EE3578FCAF4867644A983E87E345B08,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E344CC31600B0CF4FB61E9FF433F374,SHA256=9D6FA3C53CA836879A74FA2A23D147B7FF2F66EF9F6588AC222561CDDABCDFB9falsetrue 11241100x80000000000000005427466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBCF9F2816DC19117B0451B064DFCDD1,SHA256=A97258ED0E2AD876307079CF902EF32678C99F0E787858625F9DE402B4984661falsetrue 11241100x80000000000000005427473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:46.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:46.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484BD747C55F0D91C1D374B2EA7237EC,SHA256=460C67DFC7DC01F1DE0025A984D93FAA0B0AF08A14C577F949E5F53D9406A297falsetrue 23542300x80000000000000001535212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:46.172{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C6B7E3504AB2D75885E6952C98A9CD,SHA256=4C15A3B54E91DFC8F7D03D742551423CFEFC34DAEBA466F8187DDD5C6D5252A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDD5AF3409B3A06FDCA37B2BC8849C7,SHA256=740CCD3B93C31BC03FAD7AEACD387C78B10A1EEB1739A7E214B1F2C2927F0B9Efalsetrue 23542300x80000000000000001535213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:47.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC84378DD32DD05D4A10A558FEAB8A1A,SHA256=0A6672A29620FAC6384E0C31A60E166F7648BCA8BF47F1736B81FB3F6A204813,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0783B409D995EFA77642ED010D2D003,SHA256=BFC19E92ED4D870DA25B1872F7D5D982CFC45E433D643FE5379AD6550F5AF8D5falsetrue 11241100x80000000000000005427475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.605{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005427474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.605{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005427481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:48.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:48.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DCE09EE182BC9FFB1FE7A801FD98D5,SHA256=4C01F6365BA59CEB7B0496106E31762263A2189140137692D69EFE56F0AAF1B6falsetrue 23542300x80000000000000001535214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:48.193{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741D88BB89657EF3217DF5EC524B8BB7,SHA256=F5001F6EAADFA45B42FA2864AAF8979462CBB30F5E9C7DFD08CFEFF3574DFE0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244EBF9BC70FBE5239CCE44DEF4BDD97,SHA256=8CA14AA10DC7A3FD280271BD995FFBBB67605EF77F77093AE103A3671221BAEBfalsetrue 354300x80000000000000001535218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.784{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60609-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:49.196{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F6B36DB79CCAB0EDF2662B31905771,SHA256=47F60EB8004AB5C350AC04E07B20254BD649AFA11E64C1ECDFACF09197D7452E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E74315CAB81F1672711FD8A4817F2AFD,SHA256=ABCC69054234D7462957A19BEC01B5B70B852E012F926E1291A358C1EE1AF357falsetrue 11241100x80000000000000005427484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D2DDE0F81592DE50C793B6A285A0F61,SHA256=7DE3F4873EA2F4C725C96602990DAAE989828689555F3D026AB954C68BA2EE1Efalsetrue 354300x80000000000000005427482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:35.244{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63363-false10.0.1.12-8089- 23542300x80000000000000001535216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:49.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D34CB38CB762CCB5A1B1A37B4030E6,SHA256=B7BF9E9AB1443F8A52CDD3C4DD3D54EBEC778945FACC449874778815762E71AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:49.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F622F9C9AA817DAF82BDAEEFF8BF019,SHA256=55EE91BCC4659C4831DD9743A644C39C5249605B21344485E001C3CA5D46DAB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD041394300A0AF3947D4A8F40D6EDD,SHA256=E381C26A8D285C6B1AAE9DA2AF86439BD52F4383E4233B83C03F3F0376AE0D88falsetrue 23542300x80000000000000001535219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:50.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C5CB30BE9E1BE43FB4DAE2E2FD1FBA,SHA256=B5DCDFAEBA998401636328EC058825489F58D911141FFCF67AAB5AC68EAAF23E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=266590359FDC30DB4C4B3CEE89032967,SHA256=84565F41E3A0500EFAE803720BA91426085C4980CDA5FC3B4CB4F64310C03187falsetrue 11241100x80000000000000005427490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6C784EF618842E8BF9BE13A118B66E06,SHA256=615C88377D3FBE24ECABBE089B419B56458A5716516C64D94EE0BDAD8E22D436falsetrue 11241100x80000000000000005427497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:51.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:51.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7302D0CB19E870756694194E30B2B69D,SHA256=3555BF29676ADA273C96358F2512E3DC3D1C94B55A87B3135B131F4F3236B7D0falsetrue 23542300x80000000000000001535220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:51.202{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3381F0B4FD43B8F4B081C96A6754D3C,SHA256=B1D80A564719695674F198E5D64030092C21BCBD0E0F32D59E65F5C4C7B29729,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:36.885{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63364-false10.0.1.12-8000- 11241100x80000000000000005427499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:52.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:52.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3360303022A08CA2A09D3DA28C56D653,SHA256=C27F8144E46674D469C5AB5C16C465876770AC5ACB4938E4453C91C47A5813F2falsetrue 23542300x80000000000000001535221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:52.204{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09928E6743CE3107177DB8CDEF238AB,SHA256=6B79E992BFC161565130AC2826FC91BBC3DE1F20888582C85D7DE2752D9FF394,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:53.918{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:53.918{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72560914523CAD26F7FE355C2D34966A,SHA256=FF61252D2FB630D3B8D99CA4789F08DFEB2C31EAD4D03CFA73985262F75966F2falsetrue 23542300x80000000000000001535222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:53.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610979250B8044DB9BD4C5C457DDAF6E,SHA256=2C9B3EF3A1C8AC9C99C6FCFA740A3516B603C65B742D43466B5E0FEE08789FB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.933{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.933{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B80C0A6AA7A52942C3289406B2099C,SHA256=0F16EB6ADE56710F8303CC115EF02E580346661300B80858B7A3797002B00F2Ffalsetrue 23542300x80000000000000001535223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:54.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496C422B14883E1374A27F7324487311,SHA256=25F96AC350FA90C03B96C38FB47D01741545C5D33B82C36907D08C5CAE691CC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72EA7B7E70971DEDDD6CBDD911974566,SHA256=A879B22622A8647181199B9FEE9DA5A56EB14F50F45D470E4027E3741868B6E3falsetrue 11241100x80000000000000005427503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F309C55CC951E366F835F43B35D3B711,SHA256=480E7C9DABD37C3EF78871D9E20E2860E4DD3F0CAA33C5F4BBDC876017CCF99Efalsetrue 11241100x80000000000000005427515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36046C31F2D6EE7710F1A4200D4312C,SHA256=D937DB08864AAD24717068250860B28ED481057D7856BF396CE468C45BFCE3B2falsetrue 23542300x80000000000000001535226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:55.292{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B96D1BDCBDF4A0B4D2948A279B80AAB,SHA256=D3A01FEB52201FC727A17A83F24F87592E9651C3447C0E0AA0A9C9DA46FE322A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF13F3D55493723C6AFCCD5EA7C7E87D,SHA256=A01A729D130A6209C15B9729F7F96482EC29B90ECB609E3537C3626CA0C1247Ffalsetrue 11241100x80000000000000005427511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D06DB7C3DABD442FA3B5F3460F7AD696,SHA256=031B7551939EA2CB14D2927084E1209408736C357E9CD5F03A15750AC3CBCAB1falsetrue 11241100x80000000000000005427509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4B18123970C0E5750B0B1A8D4B5B804,SHA256=2D81785EA8A83ECFA208B908039E4E8CC471211DE39963773CD53B004092FA82falsetrue 23542300x80000000000000001535225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:55.058{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E970E9A8FFB76A73F5B5C7A4DC9DF4DC,SHA256=70C216CE62D13EE9C6D445119A7310A3B50AED436BFA74849091B3805FD2BAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:55.058{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D34CB38CB762CCB5A1B1A37B4030E6,SHA256=B7BF9E9AB1443F8A52CDD3C4DD3D54EBEC778945FACC449874778815762E71AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:56.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:56.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F180659A955A92FD02DEB4FA3629C27C,SHA256=63B21222F474468034B9D507BA19684A00EDEA403A376A94E517BFCFC796AC38falsetrue 23542300x80000000000000001535228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:56.295{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C54008AD439B867E53A1373898E8D87,SHA256=B2C6CEF1C1028F0A62A7BE0B5736371F8193E52F1382A0528EC3AF0CFEBC72E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:41.900{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63365-false10.0.1.12-8000- 354300x80000000000000001535227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:48.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005427520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AD1206809DED81E15B6AEE3DCCE92E,SHA256=210358783ED8FA5A5E7C63A5F756A90AA6A6205AE52A50C64E8D3DD12334BE78falsetrue 23542300x80000000000000001535229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:57.302{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5F84F53C9323C8C058F8F27E834826,SHA256=EF3CDC8CB1C44EB21E084B871AE6C90E518C842733BC08E4D6380150FFEBE962,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:58.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:58.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F0E9CADFF47BCAAD88590A79C183CE,SHA256=1E56907BE6BA551D3C0F85A5839DE603E4221F3D786D743E3A0E0F412363F2C5falsetrue 23542300x80000000000000001535230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:58.321{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0206CD368379720A27277F9FFB725621,SHA256=9D2A33860CB63A140CC6CB503219473B38D3A966D2EC60906A927DD5816D2861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:59.324{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1054069BF2A17465DCDD3DD3437150,SHA256=0118E894A45D3412DEC1B9A139D52F7AF55CF9B65FA5BD6BA436782D4F6073B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E244369B455FCFF933A3A96F760A1735,SHA256=A9C535F7EA7CCCF178947509299CFC14C439A01A426F5796C2436FBFF1A57B60falsetrue 11241100x80000000000000005427524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8C509B89503288FBB18839E165BF043,SHA256=02B1205C2DB159F5E0A08D5220ED9C151B8BF37B3FBD3FE71BB6AE1C7E8A405Afalsetrue 23542300x80000000000000001535232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:00.327{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF7552FB8CB0A33F67DA4623AD857C3,SHA256=ABA5BD4E318CB2A477B63755E52F4B16760914C0B7ABCF58D45CB7A2DC5BD14D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C8A9BA8B7736608960ABB3F230F3AFC,SHA256=37FD4545A9728F34F181412A2E38A49B3D68477FE91D8D3ABA1777E02A5D1724falsetrue 11241100x80000000000000005427528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42033A3A9D4460D44DA3C4D488B08AE3,SHA256=21AE16B0290062C1356E6123AB2001D403753869EBDA08F9C72B6A5AD9D8F421falsetrue 23542300x80000000000000001535235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:01.360{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A901C3789EFBC157545EC33DCB1E4845,SHA256=9838DA7ED6B27B160105F91B4F86276F8A13658802EDF40CDB9A0E14FBA75A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.900{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63366-false10.0.1.12-8000- 11241100x80000000000000005427536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE82C92AABAAE45E5A649F56D6381299,SHA256=E087A9E92475B8B5D4F9F3190CCF5C2AAE4B5AAC53475A1DECE7116A74A75B82falsetrue 11241100x80000000000000005427534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF13F3D55493723C6AFCCD5EA7C7E87D,SHA256=A01A729D130A6209C15B9729F7F96482EC29B90ECB609E3537C3626CA0C1247Ffalsetrue 11241100x80000000000000005427532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03E6C2BB4A9DCA8DB0A578A90B7A9AB,SHA256=11B635C934BD5761B44785A6D7D70027A6202AF3C9FA80FE24E0359AB3F29805falsetrue 23542300x80000000000000001535234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:01.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54D3CA36092C38F98A264BBB24269B8,SHA256=938B3640CF36C5CA9495F6308E8EB97A1FF5329CA1C79E5AD860E07D6F6CCFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:01.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E970E9A8FFB76A73F5B5C7A4DC9DF4DC,SHA256=70C216CE62D13EE9C6D445119A7310A3B50AED436BFA74849091B3805FD2BAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:02.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0AEF7049FF9DAAF4F194AD41BE3297,SHA256=F5F457107FAA2A87A0109F1AC09C9914396E137EF16D7812004F6CCD211FC985,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE82C92AABAAE45E5A649F56D6381299,SHA256=E087A9E92475B8B5D4F9F3190CCF5C2AAE4B5AAC53475A1DECE7116A74A75B82falsetrue 11241100x80000000000000005427539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47462B1BEA7363C53BC974CBA2A22B8,SHA256=37DA2321103E523DD529659E23E302F69BB097B172B28633D68573A76524CEBCfalsetrue 354300x80000000000000001535236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:54.717{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:03.396{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A387C108D1BE69DCBA0FE1E10FAE737D,SHA256=58720F348912F90BA7E64FDA0AC149CB108A9B997F768506426F8BE20B0E1410,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:03.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:03.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC847EE03D1C50CC93A0C359EF5FFB9,SHA256=F9B9CC18ECECE5C1189773D7463C986DD9DBEE8C9E50CC81E774FF864912B305falsetrue 23542300x80000000000000001535239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:04.399{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2069F9ACC7B8B0AB66B1071E82E8A2,SHA256=9A968F7C8B4922FDE424C31E8C998FA8184C1131C026BC9DC5DD2C48EB14B26A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF3E5CE2D1F31D61A9B83A14EC1ECBB7,SHA256=CF0C442DF9A06B888C7D37731C5243C2EF7768A1C0CCD3B4CC26612C9473806Dfalsetrue 11241100x80000000000000005427547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10AC9F3DA57F06186668EDDAD4AC3409,SHA256=CBF8221B914FA7224BE0711054C292106F7E4E7C12D9D0C07D1F0830C6400998falsetrue 11241100x80000000000000005427545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBA066CEBC413003CBCA4DEA7C3CBB5,SHA256=C48F440A573A0129A4D9538A558A7C550D9834E153BCA4BF725FC75221D8C71Dfalsetrue 23542300x80000000000000001535241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:05.770{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D3644844FB9AA4EAE41FF77EE2F0E565,SHA256=8B322609DFAB1A0409F0C9E1D65BAEE58387B5E5A20EF3A91EC3073E7E44915E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:05.401{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D55514F27757FCA4C7F12D8AFADF1A7,SHA256=D879AFF66EEDB2C2837B59C3D0A77C423F85F43792C3F184C3B667CD823F31AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.293{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.293{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4BD621A1264087BD22A8E0CA06E0393D,SHA256=541DEDFBA4CED1BB12EA677FD4EE216CDB377330430548BD607CCD83A95CB665falsetrue 11241100x80000000000000005427551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941B1E9318B4F972B824BE9F39B61226,SHA256=194CF23ED93250864B25C88A928DCBC4BC4BDA1ADDA404D1AD91FE1D6D9A6F4Ffalsetrue 23542300x80000000000000001535242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:06.421{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC79EFEB94B364E6491717925301F328,SHA256=7AF70BA987CCD0FFBA37DBD2B8A3081D594A7F016F703E7F17F3B34827CF6F92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:06.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:06.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB37F37844F99A79B8EAA9160C51657B,SHA256=27DB004519392429205DB66B1E9E84FA756FFCB714A1E05CDA701360516BB9B9falsetrue 354300x80000000000000001535246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:00.715{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.444{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F9EA697AFE705CBC993C9C67322848,SHA256=F872A9F0907512B8BBA6BAC5F7666BCD2DEB1D5445DF7C0135E86070DB0B3E2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A378760C383ADDD6E97D9759D254CD4F,SHA256=BE22E362DB736A925C7FE8A07BA3C59868FE8911081E8DA683BA2C38D9BA6857falsetrue 11241100x80000000000000005427557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1A1B5E501BEF3F2B481B0AEF9728D9,SHA256=C988CEE21D8C52E14B9B9071F3399BF184D0799272EB475DA6C81C7C0B6C3C74falsetrue 23542300x80000000000000001535244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.274{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4758DCF6D6AE69E981052B0A00FB5CF7,SHA256=17597BAAA1AF34C76F11E5D8DD4C360791713B88CD7094DBEA31155043FE7DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.274{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54D3CA36092C38F98A264BBB24269B8,SHA256=938B3640CF36C5CA9495F6308E8EB97A1FF5329CA1C79E5AD860E07D6F6CCFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:08.446{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6752CE527E829D1F4F576BF8B661A5C,SHA256=D986392A7AE77D5F4BA39CE92F4FFD0164554FC78ABF7A5513DFEC834BBE6811,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:53.744{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63367-false10.0.1.12-8000- 11241100x80000000000000005427561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:08.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:08.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16B3F76E9EB7817EB15347B1DEB69B0,SHA256=93CEA9347D0B6574F52DCF1E486592BB4C0F87D50F3E73889BCE285CF84D95B3falsetrue 23542300x80000000000000001535248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:09.449{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED98AFC8636223700FBC5E2475F21023,SHA256=ECA6CCC971F16B323DAA39948B32DA366B9CBB6E893ECF68426837E4B2D907D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.625{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.625{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4760C0B8F5512665CFB632CD3E14370F,SHA256=C2C579459A03E41D5F4CEADA2E2A33798E8CC13BCAA6CA3E2A2C29E39DD5ACD4falsetrue 11241100x80000000000000005427566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=869A589577149ABA24D97E222F7AE9EA,SHA256=BC0B2A40FE65CC8811841FF4EBFAC44BC24E99CB56BC2C0609080E439BC8DC61falsetrue 11241100x80000000000000005427564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E0C5D86FDD9CDC0E44D69EEC6CB45D,SHA256=08FF7C6F3C791D0D9F60A911F2A9E5BBD47AEC90F67E0C731146234E027E0021falsetrue 23542300x80000000000000001535249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:10.452{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A191D63DD4F39BC1C86C1BAD3076127,SHA256=20587A745D75F6F4112518A74471AE3395460E77F523AF864DAB3914260BBB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005427577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.537{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7178MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005427576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.535{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71782021-09-08 18:11:10.535 11241100x80000000000000005427575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.535{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71792021-09-08 18:11:10.534 11241100x80000000000000005427574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.313{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.313{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E58E3D851775A1DFDDA0A8B5E88E9614,SHA256=0724209598A9BC95EED478FFFD34865C14FC66DACFD6DB5E1508F72969D5FAABfalsetrue 12241200x80000000000000005427572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:10.188{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005427571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:10.188{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005427570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA60CD478F4ED67E9A9CFF51204E149,SHA256=2DE22E5F5B08DFA28980098AC41A1850001FC5A0A10374BAFF549DF31622229Dfalsetrue 23542300x80000000000000001535250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:11.455{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240EC0D925791DACAE0AC11E00D87538,SHA256=BEF908E0932F60043225F6EC6622326A761BC286DCB5D23A513D7F4C98D1800D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.843{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63368-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005427583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.843{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63368-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000005427582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.535{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7179MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005427581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B744C025BB64E69E2A303D9DE01D3E1A,SHA256=383647FE2D6E8A86BCD6D506FFF4B58788D387256BAF37ADBB5DAC8518955EAEfalsetrue 11241100x80000000000000005427579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCD011510AA3FC053558382B053A14E,SHA256=5B43A867E94DE9FD709E1F2E62891E58218C16A812E61D589CF067EC64262462falsetrue 23542300x80000000000000001535254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.973{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.456{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917DFA08230143EFC142863B5A8070A9,SHA256=B21C5E79942264C7471A9CCD6486127B241848998CAC898D2E6ACF76C50A14BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:58.751{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63369-false10.0.1.12-8000- 11241100x80000000000000005427586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:12.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:12.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEDE1D22A9BA7D05150264493326DF7,SHA256=652221C7B97F9F5A541A3FDE39942D05A979B7A47C5337C03BB6F4354F2FEC45falsetrue 23542300x80000000000000001535252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA83184475383CBC20C7D4C2F18E817C,SHA256=9D9C654C895E212A6DAD121A27F545589044B6F8079C01B4F21DD47A5F16FA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4758DCF6D6AE69E981052B0A00FB5CF7,SHA256=17597BAAA1AF34C76F11E5D8DD4C360791713B88CD7094DBEA31155043FE7DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:13.458{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687B71D9622DA6A2915F84121AAA0C18,SHA256=78AB6F3CD4BD397609E1A363A3FB26B3A7396D71F0AB21EA71E0F3A51FFED9F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:13.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:13.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62D6CA184CF783BAD75B55ADD106EBC,SHA256=FDA220AB7ACA7101A287011EFC2DCA76478059421C6C8154FC927EB315D25AE8falsetrue 354300x80000000000000001535255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:05.845{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001535259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.633{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60614-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:14.460{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BDCAD927DE1E7BCDDD713A33FA9DF9,SHA256=E19E92F2A588696E94E064691DEA8381632C9A35569F4F732D544707391961D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=71E27C6BA8F8E0CB46E2947E4EF6C638,SHA256=0004B2E4735DB27F1723BE75A28A05B36705D0519A554E25CDE34C365D3FE60Bfalsetrue 11241100x80000000000000005427593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BAA0B7AB145B170C142BBF94D24172A,SHA256=B78978DEAE6EDCA10592D2A638D6FED38FF9B1B5CE81DA00685B591B3D43E71Cfalsetrue 11241100x80000000000000005427591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DB289D90DE7A4A26D964ED14D00EED,SHA256=A1271528609317B6974A9071421C8092285D3DDCEDD87C90D8EC486C52304745falsetrue 23542300x80000000000000001535257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:14.006{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA83184475383CBC20C7D4C2F18E817C,SHA256=9D9C654C895E212A6DAD121A27F545589044B6F8079C01B4F21DD47A5F16FA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:15.462{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7360984686F92031DCCF5ECD95BC7DAD,SHA256=F82FC8D43AFB13DFB525740F9ECC25C069679A57C147072D52D8FD097C5EC29C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B11E6B1CC8FDA61F1C0A0F516F787229,SHA256=B3BD86B25A3E8D13FC28DC89F778E5480A98650043BD40DA93DA356C48F11E2Dfalsetrue 11241100x80000000000000005427597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D806C7917F7C2A346167B59B861E58FE,SHA256=66AE8EA019EC89D1976216FCC637B97BB8AD5434FBB3F932CFA7368C2D31787Ffalsetrue 11241100x80000000000000005427601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:16.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:16.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A83888C3A3DED8669981AD1607324D6,SHA256=313D5287AF50C188B394BEE29B3B416EAE4496A0820A2ACF3F59CE859D127A29falsetrue 10341000x80000000000000001535269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.965{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.464{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A11C917B2E469B6328EB1CBB2373DE,SHA256=56B860441A60F6868359B78A137256EA3F14C795D81A959F50FB1DB61A641ABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.650{AEE49BD1-FCC5-6138-2CCE-00000000F101}36362184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.514{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.466{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292121452FCDC4D62602366F6E4311F3,SHA256=F5C5CDB8D2C48A32EDA4643A335B790598D9793353E05D682BC122F58C74D720,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:03.814{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63370-false10.0.1.12-8000- 11241100x80000000000000005427607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77213692A828FDEA8A064FEBBB8565C4,SHA256=81C5134C8C56C1C7FF06C749BADFDBABA8F049D9286F79C6CF6E63FFE679A5B1falsetrue 11241100x80000000000000005427605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD41376C458ACF25DAD8C0C898EB7C5E,SHA256=23A889ACE7CB05B26C538CB2D48B4A02921CA5C703BF26AAD200489F88924779falsetrue 11241100x80000000000000005427603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F4B50EA9EB698927E558237B6B010A2,SHA256=0D6C6FDEE3386546A8DF2173DFB4B4B6D1856C86886ED35257D3560353C0478Bfalsetrue 23542300x80000000000000001535270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDBCE45C22440AD034362369927E4D8E,SHA256=DFFD3DE1AEED01EDF661156508A17ED206D2004DF7A4D90E1D73345C04100687,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001535292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.968{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txt2021-09-08 15:38:17.364 23542300x80000000000000001535291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.968{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txtMD5=40D52B59E4557F69A927469F184BFD82,SHA256=186C626B803DF1D6EF41092F99ACECD0ED58C973FD04CC0D6003D6A38E194F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.514{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2447F3ED03E003960F69DF0DF7BEEA70,SHA256=5584E752D83F11E77BC90F4301CAD1B916958A0C1F5D34BABA53D15637636608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.467{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB89AB62000A5EC9959657E0C10942D,SHA256=656620C4D85DFEE543040EDA619CA3C3C5EBB957E689F3D25C254370FE1DDF36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:18.238{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:18.238{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A08D5A80B486EA93D02BA3AA524D236,SHA256=B2F5458D85A5D9A317E26A203F3D35FEEB44C294309D9473C4DDCE8CFEA7B0E5falsetrue 10341000x80000000000000001535288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.199{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:19.469{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FC1C35D1087794A63661A79FA7FA79,SHA256=423E05EC9704A5A8228381178CC402145283A3BC099A63C6218FDA1BC0566289,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3F40307C08BA8D77A01A5F04C9820490,SHA256=AA5CE01A29C43BFA0F08521D430052980234D4CAA236ED1AC7097274682941BFfalsetrue 11241100x80000000000000005427614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2F77C077197AE8CB42EA1623FC7B5CDD,SHA256=28FDA128E5005953D3E42F98D8E2FEAD9958D32E17B1B66C62B8493841CF9835falsetrue 11241100x80000000000000005427612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBDE64D165FA901561DE1E65F44C7B2,SHA256=2010C71A3F94A689ED363385CAC566D0DA2A29EB19CF3E03F2F6550844616F46falsetrue 354300x80000000000000001535293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:10.857{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:20.471{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C343541FA27BBEC37DFE0B5212FBF542,SHA256=417862B8B56514A9D3422F32D5D8E0733B304AD8F395563F6501D3E523C67F0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=311F51859EB4BC269E76FB7534335CB0,SHA256=481DD56576EB8ECDBBD5F5B4197E8489E6DAA46799A565E5911AF5E17686458Cfalsetrue 11241100x80000000000000005427618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A408E1FD29F44D5F2D3021561B86B5,SHA256=DFCF35B8137E5E6CDC1FE5EDEEE112B2EE8725B7DBD6063C898506D68CC8F406falsetrue 734700x80000000000000005427734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005427723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005427701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005427698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005427697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005427696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005427692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005427687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.926{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.926{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005427678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 11241100x80000000000000005427677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A372E177FB0BE55043486C14FD7D7958,SHA256=F1B0036D22D3C4D46466511D5824AB65674BD47530A72C3B0AD66A0E0DC151B5falsetrue 734700x80000000000000005427675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}32247892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:21.474{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3875DCE610CD045EF543688500F8AEE2,SHA256=ADCFCCBC124A6A339175196DFCD92142512B402433E901E9DA327A1348B60D20,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001535305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001535304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a4c3c35) 13241300x80000000000000001535303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x8b6e6008) 13241300x80000000000000001535302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xed32c808) 13241300x80000000000000001535301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x4ef73008) 13241300x80000000000000001535300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001535299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a4c3c35) 13241300x80000000000000001535298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x8b6e6008) 13241300x80000000000000001535297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xed32c808) 13241300x80000000000000001535296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x4ef73008) 734700x80000000000000005427671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.239{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005427800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}32367248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.540{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DA6C0FB982F63FADF8DBB776AFF7B1,SHA256=579D48C7BDDD42EA8E1BE8051DA54F1FCBB9AFD0F0AF7E52059DC1B6FF534EC3falsetrue 23542300x80000000000000001535342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.523{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7C96DC174ECD91C2D018767F4C5AE1,SHA256=066818CC2E14CA5AC6ADE9BBC40C96FBF1BCC6A7FD7F8C8E9A9E70032FF23E2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=865C4B93A6B43FEFD6B6DA9C46CA9E72,SHA256=947218A2182A90715A264713CCFE2760C8DDE4C60BCFDA9318E43F7668BFA183falsetrue 11241100x80000000000000005427740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD41376C458ACF25DAD8C0C898EB7C5E,SHA256=23A889ACE7CB05B26C538CB2D48B4A02921CA5C703BF26AAD200489F88924779falsetrue 534500x80000000000000005427738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64816E0468E38838793EB5AD288D6FFC,SHA256=26FCBA5EEB6EF8BF3FECA9E6D841D00836BF901EDA693565FE12B473C9F92492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.156{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.156{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.153{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.153{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.153{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.941{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 354300x80000000000000005427914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.861{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63371-false10.0.1.12-8000- 734700x80000000000000005427913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005427877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005427871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.911{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0ABE1323901D983B5B56F68A1568E3,SHA256=1EEC6F6C13FC8572B46738E2BF21F0363B5C98CB753A2F1957230D4F9E98BC2Dfalsetrue 11241100x80000000000000005427860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A896A057ACC04507597E0F0DAB41B3E,SHA256=C1EB8670BB922A6F8E7CD114F57C1742E7A6554FE8F70F8426F7E2010C542572falsetrue 11241100x80000000000000005427858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=865C4B93A6B43FEFD6B6DA9C46CA9E72,SHA256=947218A2182A90715A264713CCFE2760C8DDE4C60BCFDA9318E43F7668BFA183falsetrue 23542300x80000000000000001535344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:23.526{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EEBA32FD166BE8C3C2DA459A548ABD,SHA256=339694CDA20CBD4063011DF8344CBB23A72CFF46B385149C8437B94060089261,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005427855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}13566620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005427809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.223{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001535343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:15.863{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005427984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984AF3E9D69FD419F1DD130B084EB0AF,SHA256=FF23D6A8E4E2C9B6AA78CB65DF65DE729451C0F13D145753C8DFC642B3BA5675falsetrue 11241100x80000000000000005427982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D50E19BA6DE9F976EEB8C71F5087BA,SHA256=E6D6BAF760B1B15BE70DB5184D8F3E76C279E23D494A4ED1B2F7F695FDAA13E5falsetrue 11241100x80000000000000005427980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B446B8E538B44999A15D083A760D0D55,SHA256=12F9A3EEE57608D372E2E033E8CD99C68AEB248FF27AAF98FAE9BD143928EEE1falsetrue 11241100x80000000000000005427978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF78004996804ED6A4174D3D2B1753E1,SHA256=5A49B30AA769E4B8B1F08A811A2F068517FC9CD70F275EF033EB36126016F30Cfalsetrue 534500x80000000000000005427976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}77122128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:24.545{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618568FFC9BE975989DC248DF2C1B903,SHA256=F4B7AEF6BCB77C016170FEFFDABA96ED89397EC72454CF9D94A900C4E28114F3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005427971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.629{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005427934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005427928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.598{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005427919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:25.566{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168BE5F2259122691A4B5C9F9D5037CE,SHA256=CA5D3EBA0A0429C3CE7CC59FB4C6BDCF1980214A72BF59074187A8F0BE5E8414,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B603DEC874B9C81AB3A87DE3C8D65CE2,SHA256=2C016ECE8D3FDBBB1277FFBB6FACC271B46019F5798775DE8B0058A40BBF1EE3falsetrue 534500x80000000000000005428042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.316{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.316{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005428022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005428000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005427995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.286{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6AEAF7992B331E6B0FF01A59D58BD99,SHA256=C822CF70442346D6CB01C339145BE3FB48C5780E54065B38F287D2E02895A4ECfalsetrue 23542300x80000000000000001535347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:26.569{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7242BC4596E0ABD814B7A0F8C048C76C,SHA256=3C00B00B49E05C084E5550ED5A6961DB66D28D04DDD592D19887BA42AD234C0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=633D8A22484EF279018AD103B5B50AC3,SHA256=053C303CA537A0D47EC9720E4FF0CF4DA48F5B8CFA8E77CBE0C9EF2762BCA041falsetrue 11241100x80000000000000005428046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C801DDB75984C9B0677D4DF8BF16F0D6,SHA256=8E7015B758150EAC688FD1684A617C83B142439F7130D3F9CCA5FCB1B765DF65falsetrue 23542300x80000000000000001535349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:27.620{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD117BA4B40E97B348E819A558D9281F,SHA256=0ECB0028EF2782C909AF4ADD488330D440828419E1EEB87D91818282568CEBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:27.052{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7169MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9BF60056161FAE23916DA8414111A5,SHA256=183E766F6921C8DA77045324212CAF362D546BA20E2BDF9B52A83F0FC78E1949falsetrue 11241100x80000000000000005428050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0A1B0B44DB545C911042B367C721B1,SHA256=EC6F1F75AE3DC33CB4B73B6A3E3DCC95DD8E431364DE6CA26DF9A57D76895305falsetrue 23542300x80000000000000001535353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.622{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE885041EA1A75371B4FF43D8155E871,SHA256=F55D67AB95D74EEF15BBCB3EFFE993663B61743706CC913813CC18F889CBF9C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B84F4BCB867CABBA38304343D26B28C,SHA256=40CEAE682E11E9657E700DAA2D55092ADEA8C88D186CB0F1848B63E87AFEDA92falsetrue 23542300x80000000000000001535352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924808AECD5C9F15B250C4F26A4371E8,SHA256=879BBD2CB00E6505A09A12E73CB9F1AA5A85B6CDFCDDA23A0F9BA6D316CCBC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7B2D9804FCC6B69E128249BED48901,SHA256=D0610C435292BE53E430F073D9F983AF33011F02833FE8130BE7CF65077FF529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.052{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:29.625{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AC337DC946BC3F55650DE5829D13AD,SHA256=5B87BF7186B75A62F74F2141FED458F08E2BAACDC996F29762FE395732CEE4B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6297DE28B6E397EA5CDF0137B82A176,SHA256=B986302DA6C125B373B355571E669A4E4BE3CEFECB1A1D474DC0860CB507C77Cfalsetrue 11241100x80000000000000005428060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8DFC7BDE068CBA4F8D47E2F6260C9D9E,SHA256=D15ED4AC1AD4B9CA97D4267001D51AA728210713660CBDD452754A2D147F45BAfalsetrue 11241100x80000000000000005428058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FEFE8FBF90AA8F4DA6F2C49C9BA5515,SHA256=12BEF86243396D34861B28FDED969BC9495F1BC3BD2669A29ADC28AAE9492332falsetrue 11241100x80000000000000005428056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E88D8A76FE627C454C445A26983C89,SHA256=83CDB0BF64DEE061A4646C10B9D2A73EB4E67B8013050A66D8D93145FB68649Ffalsetrue 354300x80000000000000001535354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:21.810{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:30.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BCC8A0B0FA391C3B67DBC38E9B551A,SHA256=A1D69B58B889C9C638CA6580512A2CF696A446FEE175BD39EE4A63C0DE813596,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=68A2CA7360A73CA494DAF4D136789073,SHA256=DEA3B7A70F9D0E848A87F28CBE7AEC34C08E36B7CBF3C63322232C637CE02024falsetrue 11241100x80000000000000005428066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.237{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005428065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.237{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E4EE40A452A6F3C4E4B6968E24C0A3AE,SHA256=E21E821332458B400EB48C1FA52D3D7683D903C5D67C720D06481EB27E02479Cfalsetrue 11241100x80000000000000005428064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7D90B7EDDCF11EFA123F5E3BB9711E,SHA256=348109F611C47B860E889B6932041E7A170427C0C7E2E192763996917053A141falsetrue 23542300x80000000000000001535358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:31.645{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D776BF9B83E54632BC2D9502B4EA7A,SHA256=A8C6D2B6A0A30F338E18726B90076435FF614E6B956523F1F03D77344752521E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:31.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:31.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE340DFC770FABEC6364CC24E6F2E34,SHA256=B6B8EF87583B05111DD7F68C1AA7C0EDBB6FFDCE77A47C1CEE51B46DEE230042falsetrue 23542300x80000000000000001535357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:31.097{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B95E9113A441DE7C74AC634CD9BA4B34,SHA256=3B7F7BB7463F6DED632BF2463CD7E5D15E2C25E40BB351B5C05A5BFD8A00FC40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.828{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63372-false10.0.1.12-8000- 23542300x80000000000000001535368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.662{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DC31E1B47E18252B3027E662C64833,SHA256=E4AF629CE40863C67E5A23C9D4719288EAB2DCF46F2A0549FEA48500740B0EDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:32.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:32.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DECB9CD3061CCF59ED7D2271AB97A76,SHA256=1E42EDEF0D2E87929526B500107CC7E7228140462FAA1B474F8C35AB9BB3BF49falsetrue 10341000x80000000000000001535367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.599{AEE49BD1-FCD4-6138-2ECE-00000000F101}32125516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.480{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.479{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.479{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.463{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001535389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.985{AEE49BD1-FCD5-6138-30CE-00000000F101}8681844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.848{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.663{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F131D2CDE81773C655E96A6B34A8573F,SHA256=DA32F78B27F5092BECD09EB802C695F111F3FBD1C116345E02F8B5BE4F289B7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:33.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:33.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC333D35D76E679EDC5109AB66486B7,SHA256=3853C30753AD2B520AA183B6BAEA847540134A52EA87F69F43CBBFD05E43FC8Bfalsetrue 23542300x80000000000000001535379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.482{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E1E4BA7F2E344DB42D0DA400826505,SHA256=70EBEB2BC5250873E208A463432096D27E6E429DF9113F536723BEBDC878E5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.482{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924808AECD5C9F15B250C4F26A4371E8,SHA256=879BBD2CB00E6505A09A12E73CB9F1AA5A85B6CDFCDDA23A0F9BA6D316CCBC0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.285{AEE49BD1-FCD5-6138-2FCE-00000000F101}49084268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.148{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:34.883{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E1E4BA7F2E344DB42D0DA400826505,SHA256=70EBEB2BC5250873E208A463432096D27E6E429DF9113F536723BEBDC878E5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:34.685{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CBBE0426DE8609DEFBCA6B17AACB49,SHA256=251543038A3E610784739472C0B0B65340EC2415230A6F394591485702867051,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=828B57DEDE5037C2C8F6AC358FD51991,SHA256=B3421075872D8D184CCA17FB1216CDAF58FEFEAFAF57FE3D17FAA83142FEC676falsetrue 11241100x80000000000000005428081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=646EB761FBB717CE10177D65503B5B28,SHA256=05C6A7146AE094EF5797F03AF2B9F55B9D8827D5AE34F4897E4237A04E011014falsetrue 11241100x80000000000000005428079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4835459734A9566C6C135C0CE7F30F81,SHA256=3AB653B3640A213AF3EED7352A238521AD92F5FBB243C662AACA2D49EAB2B106falsetrue 11241100x80000000000000005428077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212E310E1E7514D5EE64026A4ABC3FD5,SHA256=90F0A2AE673B9152CACDB2D2F10601DA9E3B666E2542F494FDA1EFD1903A4F7Bfalsetrue 354300x80000000000000001535390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:27.777{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60618-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:35.719{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194A29173EBE0569348E87F5BA1D766D,SHA256=A4AA6EA97828EF07070121E69B9D3D82C5583C4840FBFF733E7B772378CE4EEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4252B6184CB10C09A3C0EB01A9B6DC12,SHA256=AC029E6804B1723CA150CFBD3FFA573363A4C8E4CD673FDC643FEB0620F2ABBDfalsetrue 354300x80000000000000005428086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.891{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63373-false10.0.1.12-8000- 11241100x80000000000000005428085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC996FF3610DD98F344B1D478CAC0CB,SHA256=06CB79927EF72E2A374F088683A44994ABB9E5BBE7285C8BE6B5BDC1C0DC5EB7falsetrue 23542300x80000000000000001535394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:36.722{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604246D7ED88213A48785E3AB6C9C630,SHA256=2516F620118CE0B79A1C21D7EDFB3F7D13B7FEA4AC75B3AA5043632EF2EABC79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:36.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:36.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB4BA900FD8D0E7EA47A7FDC4DEAEE6,SHA256=119AD406738C327229CB5D045AE1F1BF912B36AD7E642F971E35E6AFCCA8D277falsetrue 23542300x80000000000000001535395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:37.757{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7732ECB1BA94D59D96D78483C9173C,SHA256=7E51046F567BDD3F57E04085CD8A0F180910959A1E6DCCC489DF24CBA11FB96C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:37.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:37.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F287C172B13A29D397A31477607F18AF,SHA256=C410643FAE5C351E7E4EA86508A3B7E2F436191CAD843FF8F036DD20C649FC5Bfalsetrue 23542300x80000000000000001535396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:38.775{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D40C8D787E8252BD98E7EF47EE5291,SHA256=F131BEBFF09F9513B7C3ED31B7741AABC8836989545CA16A95A9979DCC542176,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:38.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:38.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0E10432EF0728C9DBFDC1C610188CF,SHA256=4B3078F61E1DF7A0AAA4B5A9A8B0970DA90079F618B36C913DC9412194BE291Ffalsetrue 23542300x80000000000000001535399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:39.797{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283DCB80562B9861F1CDAA0C3127BDAC,SHA256=6B5D6A1CB8731B21988A73F9A70ACA9CA153BF2B0BE233A5352C57349C730D3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F0E5D83A1A9B7BF978329BAC1BF545F2,SHA256=E8BA618BE1A90233128CA6FCF90CE2A7212B2F33D66CC22E2BA7650385EBDCAFfalsetrue 11241100x80000000000000005428098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A694D54BF58A545BBDCA2BF4C68E7EEE,SHA256=4A857FCF6EE776F81DBA8B801B51CD7A1457B10FEF4D4F979FC07BCA45C2D31Bfalsetrue 11241100x80000000000000005428096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C06DB514EFC4D3D456E4C7E7383DA4,SHA256=6D790364A5834259B1B47F1125D71278D41A1259C9C75A5A0B4D1E13586F3BD3falsetrue 354300x80000000000000001535398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.786{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60619-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:39.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=016C8F0CDF3338CB996DAC66A07EF0CD,SHA256=ED7AE6FA3DB74E6CBCBA6077E3A9A5CDF680DB4E2138D9D2FB20052928EAC372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:40.800{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD56FE22F22AB83EE32B939613BCFAA4,SHA256=5A4520A9782DDF5D68B5CC39CCD738E64E9CA33FAEE7124E087913858C2BB1A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EAA66E443B4365D741BE26BD898D096,SHA256=04C746959C180DFD1DDD819D45143A6F3EDC0482B27ACF9717FBD85DBEF08560falsetrue 12241200x80000000000000005428112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:40.549{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005428111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:40.549{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005428110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005428109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=41A52DCFD0492F8A0A2131C9D1349156,SHA256=6B2074AC4710253458ECD0ADEEB6E7C4CCDEA7D1C863444C36C8C972F2F3C98Bfalsetrue 11241100x80000000000000005428108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005428107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=99359BB661394E6F312679FE490EA1AE,SHA256=BCFF975B9F219277591578126601E93794C46286C4571755E3842D9E475CDF33falsetrue 11241100x80000000000000005428106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2979593BB47585BA72AB4FFD9180C8,SHA256=9A24771CD87487F2C03E018BB2F277C87465060FF36B19FC80F93067136C1EF8falsetrue 11241100x80000000000000005428104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09DD381171E270D28DED07C9F090CAF,SHA256=C459D6B41C6129B7CA2E793C18F23AB914734E80CFE4BE1CA20AEB3BE0E05079falsetrue 11241100x80000000000000005428102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C39D439CB508DECF2FB38F8A18852BD,SHA256=B66D64B94AB82DBC77949D0D389AA60D3AAB267B43E63EA8BC5FFBABF3816553falsetrue 23542300x80000000000000001535401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:41.884{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CED2CB4C3DD7D22E7A1C45B8EE0B604,SHA256=138C73651CD552DA1C9C80FC0075C80BB7BC5836875B99CC29F8B9DA9DEE0C91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09DD381171E270D28DED07C9F090CAF,SHA256=C459D6B41C6129B7CA2E793C18F23AB914734E80CFE4BE1CA20AEB3BE0E05079falsetrue 354300x80000000000000005428117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.718{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63374-false10.0.1.12-8000- 11241100x80000000000000005428116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010DA2C7513EE7E945D3994D98F0ABC7,SHA256=502EC6105686ECB9889D25378EB7A5D462FD8D2D426AB25415A7D1CB4536B640falsetrue 23542300x80000000000000001535410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.908{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC4C90D6A071E4C42991D951763FE25,SHA256=E05A037A40666F94CC88385226B7D362AD8C7C37CED2958CFAAE06BC92DCA9C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA428C3BE241260A5AC0ACEF4BC6498B,SHA256=5AA6218874AD8EE07E66D51CB7D86D31ECCD98E550C2AF63039586179E98F3E4falsetrue 11241100x80000000000000005428154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADDC6F7D16FBBB017D982ECC033D69E,SHA256=27800AFEA39853D9A2918ADC55AB161280A4EA2E9889C6EA281FE43E42DB5F96falsetrue 354300x80000000000000005428152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.207{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local51509- 354300x80000000000000005428151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.206{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local57473- 354300x80000000000000005428150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.205{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65149- 354300x80000000000000005428149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.205{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65089- 10341000x80000000000000001535409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.840{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005428148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:43.926{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1D66EC24FC782866E6E38478C07E35,SHA256=E29D35DFC02398CA661E3D5835F34B77392AAC7BCC40BDC4B2677204CAA9F21C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:43.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:43.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000A730EB77A2895EF83DBE4DF0025CF,SHA256=4CFB0AF6AA75D1B78A8052CBC58950A6FE602B070E21EFA405279B8591AFEAA0falsetrue 23542300x80000000000000001535411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:43.841{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A4D7263497715701344D41FD1AC789B,SHA256=BDF6D0C16D25A64F55EF2D762617D1B42AD31D605EA9FA6C05D736B5143729BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:44.928{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D162D52C05B901393258FE0C44680C,SHA256=416065FB14CF43BABE8CF38DC9309D4B811FF86CCD4B1DB35E16C2AD201258BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7749FDEDDA8E953A3A997903683B8282,SHA256=F02F80946D78223BFB7A645EB12EFC5181C92879C7FD7018FB4BE0DCC1792FF3falsetrue 11241100x80000000000000005428162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AA6328C6E05024597EA9860095FDD3A,SHA256=85EF241CCC4C77274156066A39435E99E98C296ABF621711BC0216590671F13Cfalsetrue 11241100x80000000000000005428160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B2F6A02E8EB898D1A94E1B997866D4,SHA256=7FBFBCE17433F3615513C675F2E166D0361901568C3180CDD8FE63A7F491F9E5falsetrue 23542300x80000000000000001535416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:45.930{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3FC8FD96C2E6B0FA4700AD053C853C,SHA256=0114EF1AEE04ABE6EEBB9929C227A91FC521B9CB9E8B7CBDC2F43B5DCFE1950F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3907995DA255F8EB7B73DA81AAF9BD00,SHA256=9B800986061B33A8C4D1B1032519ADC5E2CCFF63CFFFC599E1ACEF85DF6CF7A0falsetrue 11241100x80000000000000005428168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B8B469C1594EF96FF6F8D61F84CF03,SHA256=05F6FD8B12DF9D09A95F979967499592B63925C807BBF3272D44C1D3D6D3220Ffalsetrue 354300x80000000000000001535415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:38.716{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60620-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:45.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93E670FB023FFE979B68F32DC4604EB2,SHA256=0989DDFA98E45ABE3E74D03D16C8A6CDD104E4E8CA6723CC6FB85AF675E03AE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384A18342B4101845E7C08CB479D9913,SHA256=9167D9A5CF6B3F569B47D458AFF5069D03EEF53DAB055C35286C73BC38F83C74falsetrue 23542300x80000000000000001535417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:46.932{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82AFD025C2133145D94299B731F38A4,SHA256=556D1A432BBA8F1ABE558D38956FA1E156BBEC57566D686311DFA2C3541A2452,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:31.906{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63375-false10.0.1.12-8000- 11241100x80000000000000005428172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:46.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:46.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEBC371123955D88169F635DC44AC77,SHA256=CDC61398E46D94AD8F5E2D0A6E7EDCF2D4BE205DA332FAD53FFE4F78F1D3A497falsetrue 23542300x80000000000000001535418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:47.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1FB80A485F2A414C798316C822F02B,SHA256=5CC1C9D60604F04C772B683D0E66C36F13525431396E185F2AAD9335F1DBC2CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BF19FBB6423E45B91DF28A2299FF2A,SHA256=51FE648C1DFCB31E1B7B985BA289E78720ACD22937A01F39CA9996E667FFF118falsetrue 11241100x80000000000000005428177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DE423B300031218C0BC00CEC3150E3,SHA256=67EF9B8F4AA683A0F3BB9895329406FB48D7145DF8B43AA25786DA58125C7043falsetrue 11241100x80000000000000005428175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.610{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005428174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.610{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 23542300x80000000000000001535419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:48.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D960ECC4C177931B3C074131B455ACA8,SHA256=8A68F48C3DC92BC890BB7DC0D78EB31EF395353671EEEEA121BB2702FD268906,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.263{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63376-false10.0.1.12-8089- 11241100x80000000000000005428181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:48.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:48.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC942437BDA4E94E1C103030975DF04,SHA256=FEA2B930508231017267C290984233231F690E729B8E39908B04BFBE67C3CC71falsetrue 23542300x80000000000000001535420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:49.941{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3E0471CACA1147092F7443D68FE7A3,SHA256=64F0689810A9632566DC0D5B32A40F89AD9DA7412C42BD62B8A9054F1C55B6AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70E95234BACD238E70AA3AED4338E97A,SHA256=F1DB7FE6DAE6ACFBA2702571B1E3CF2DFA97F88048B87150E845D8D7D818A175falsetrue 11241100x80000000000000005428198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C91546BC869CC123294DB2E73D606FD8,SHA256=C064957BE1F5E1DA39666B483C1A72EC53C9349DA3DA37F1CA3850D2CA771D6Afalsetrue 11241100x80000000000000005428196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3FDC96E2B52E108D832D649143E640,SHA256=F8226EBD3F6BDE3BE0709C4F5D462FDEF73D281ACF56463F7B9EE7CBE7653E49falsetrue 13241300x80000000000000005428194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005428193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a54a846) 12241200x80000000000000005428192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005428191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x9badc8b9) 13241300x80000000000000005428190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xfd7230b9) 13241300x80000000000000005428189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x5f3698b9) 13241300x80000000000000005428188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005428187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a54a846) 12241200x80000000000000005428186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005428185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x9badc8b9) 13241300x80000000000000005428184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xfd7230b9) 13241300x80000000000000005428183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x5f3698b9) 23542300x80000000000000001535423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:50.943{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7388493D39E91B92A96BFBFB4D71BD2,SHA256=FFE2977B56025525131025B8899B76EAC92C8F4F8E77000BF85AA704D8B23C8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D805D1263C2C19AA4ED06EEA32CF5EC,SHA256=DDBE15C7C9D636322EAF0CB06B5662C8306532281C6F07B0800AE40FED32317Ffalsetrue 11241100x80000000000000005428202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94154ECDE12EFB6C9A9177D286D22D0,SHA256=4AC0B46CBE6DAE85D0870ADC1F3BDFA5C04A9F35FF2FBFA6C39C0C6590B20AD2falsetrue 354300x80000000000000001535422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:43.729{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60621-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:50.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAB431D6B91FD06B8ACDB7FAB6E575A,SHA256=C65C658FDBFAB46B39527252836587BA54DBE4E94B6DE606D1959EC370991582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:51.944{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1CC040C27660E68803AB56CEB5F55E,SHA256=8C3CD8381C8D9FC6EB70A69C5C5E6607F2620806009BD8FF8C2922766DC30369,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.751{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.751{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0FA7A195B40E10E13B2247228CB2A4,SHA256=8463832549CC8284E43DFD58FD07E3D8D7E852DB8A1D1D0783411D7B460A5F72falsetrue 11241100x80000000000000005428206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F0DF3038262E9830C0FB7A4BDEA44D,SHA256=ABAA7F725B3C4F483AB8540F689BBCECFF2EF483A0069C51F479329FDE247780falsetrue 11241100x80000000000000005428211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:52.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:52.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C020AEBE9D3629C55BEE114BE16B2620,SHA256=8760F869D7450F994885A69B7245726596D05199E79AE2F39CFBF2298E86B1DAfalsetrue 23542300x80000000000000001535425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:52.946{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE3F8D131900E889660784F7EA57195,SHA256=76B4A603C81A27090834F326AD2AA03E302C6BD14D4CBDB5096D62A2A6985FAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:37.826{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63377-false10.0.1.12-8000- 11241100x80000000000000005428213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:53.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:53.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A309A3E6AEA8D33480A8DFB5261C45,SHA256=CAB6A10463F22F0C31F0D92691E98D1342F60FF55BC6DEEFEB1A23F5B95DD948falsetrue 23542300x80000000000000001535426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:53.949{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE40E2DD42ADCC89C5542B25D33AE1F,SHA256=454A49AF6EB9BA4545513F3AB7D7F3FF40E793CC0D9E3C48C492A448F1537C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:54.951{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01BB647E4B4C58E173B936438B2B050,SHA256=6242DC0916509ABFECA4449A9190C233365A161DBBF5580FC8FF8402B1E7CBEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:54.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:54.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6177FB9E653DC95E86062FE9AF19C6D,SHA256=6D82458C118A15AA427DA4F32BA93F28740DB974BA26B6D6BFECA69212DAB694falsetrue 23542300x80000000000000001535428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:55.954{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18142C7193C273098402E7DDEB89CC7,SHA256=897554B93DB96E81C7937E690C667C45EBE9E280DC9731FFAD1FC159A218C849,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72E80CA87DBCDB3D7E2BFC228E4D7F7A,SHA256=887C023CB4E090FE24FB264423C58CDB3456DC19B7B58037FD9AFD54764777BCfalsetrue 11241100x80000000000000005428221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCD5F2459ABFD9AA73C0F12EC672517,SHA256=F2858386604A563D2F30F995B35FAB896BDCE1AB5A23C26A52A3F4179831CBEAfalsetrue 11241100x80000000000000005428219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A99483446CE4A1869E5C35AD0404373B,SHA256=ECE02BC138C4806FAB1CE9142ABD46984A6478C53F55586F7D743D8101BFAB97falsetrue 11241100x80000000000000005428217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F4C0292BA17DCAC36294DCA7F99F440,SHA256=6F61A893F34FD1F7B1ED23C7A133EC1D5301229461793AF2DB52FC88E2CE8E2Cfalsetrue 23542300x80000000000000001535432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:56.956{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C09B1B153EFC955CF482D5F6504081,SHA256=507AD6F90B61C7BEDEE7B162BC14D9EFED307E3B0F2F76AF54410DF3D0EADA8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:56.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:56.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BB1B9874CF61FB4323AA111CB54194,SHA256=0F020484490612D429A673A2CFDF4BD973AB38555112B291656716E4AE540899falsetrue 354300x80000000000000001535431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:49.691{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60622-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:56.038{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86BA1E6107A50CAE37D9A527D1699EC,SHA256=73B97A519178E7814D43F57706F42B522BC65AB2F30D5D820B389A48B49CCAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:56.038{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBD9269254B4E7444CB884D552F8BA18,SHA256=6ACCBCD2BD85D535F9DCD902F685184B812AA144EC7C93B9569ED89BCCFCADD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:57.958{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B478271E03D71BE4817FAF50029113,SHA256=BF65C25E57DE41B3C59F5BFBF9C44944188A3D16267D197224E2D472A3334E6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CF767A12DE1EAE5317BB80D43DBE9D,SHA256=72E680395F31AF6366946EE07D5E9C99CFD091874F131F54F47400D90622F4A2falsetrue 11241100x80000000000000005428229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AD9586AD2F7083A8EEF7400CB8FBC9,SHA256=FF2067F9D7175087D9830C904CF6519B9BDBFE890024CBB747CD9F5906A4C734falsetrue 11241100x80000000000000005428227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D557A5D8855271D4C584AFFEAB5F9D0C,SHA256=33F01C26BFF89978D7105F1274C8B4EA965374EE2A1A30A3646D105DF157D741falsetrue 23542300x80000000000000001535434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:58.961{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F660A5D3E90EBF85591F6F96CA296C63,SHA256=D3928AF7FAE359EF7E7C384D677FD116A320675D60101C56EE416423A3507BE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:58.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:58.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546DC6567364A1B478294B05F3D9F0F3,SHA256=C64736297D507B3C8FD51ABF704F64CD2E090D71DB18166EEFA8E6556E82C0E9falsetrue 354300x80000000000000005428232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:43.732{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63378-false10.0.1.12-8000- 11241100x80000000000000005428236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:59.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:59.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202A077A47BF2DAAA8EFF4D3B7785AF0,SHA256=E88DDD7E757DDAD90C206613A42C66CE4ABF41D81BDB58AAA25EFA4F575710DCfalsetrue 23542300x80000000000000001535435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:59.964{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8EFFF069DB522CC82680A11830F5D6,SHA256=FC5F39FC70BCF4187AA9D15E7259A05BDC829F2118271EFF0547FB9B6829AEAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78723483A9F7A8A739596BF4039E5899,SHA256=92167CB5217948C54292F871BA634514EBD94451AE1EAD978D05B2F9EB3496E5falsetrue 23542300x80000000000000001535436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:00.967{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D58ED8739907E9202EA20E4525EE13C,SHA256=BF3CBCC5C1AB82D8AD20E164412D91D942C11E9667C28EAF5469292D04AB9F79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C10C0BE58731B1407C0E509BA9AF69C6,SHA256=FC6455C3BF0ABE218F0A17C7835FE1371A799BBAFA57729D5A99ADE69741152Cfalsetrue 11241100x80000000000000005428240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.172{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.172{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC9474957C0232C5414959ED1C257FC4,SHA256=96A63FE9B545383870DF41FFDC51078C2ABC5AE8424C4034B4A5226F716E53BDfalsetrue 11241100x80000000000000005428238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83BC633D50A32207313704F48328AFF2,SHA256=74F0C0EFC29897E982CA50B49E6E45970B937F7413C1E95E08E3637AF97105E5falsetrue 11241100x80000000000000005428246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:01.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:01.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF6600D847D1ABAB84152862226E659,SHA256=54D540AE897B7AAB807ACAE09BA13A746D784DE12A1D21BE3C5082228BFDC0E9falsetrue 23542300x80000000000000001535439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:01.970{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B263A5D4D0406DA93AE87F1F8439C4,SHA256=68B971E478CAB16E7D69F0D8BDF652FA398ACDF220397F605A6104C740692BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:01.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AAD22FAD55E4F81E2AF4AFAA8044111,SHA256=5EC43168F921FB37E931D43EE5237FB8AE696A0DC0B207F510CCB94D6A689DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:01.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86BA1E6107A50CAE37D9A527D1699EC,SHA256=73B97A519178E7814D43F57706F42B522BC65AB2F30D5D820B389A48B49CCAAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5852EF1E00847BE9299ED51A949257,SHA256=C6FAC478FB658AB88955793D005676D94BDEA9682DAF5D80D4AAE588FD9B0A8Efalsetrue 354300x80000000000000005428251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:48.872{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63379-false10.0.1.12-8000- 11241100x80000000000000005428250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39446940A7C870E33B0BF357C0E691ED,SHA256=1D629A30C29D9997D1AC915A542360F5346368FAB0ECBE589DCBB84450F1EFE0falsetrue 11241100x80000000000000005428248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AD9586AD2F7083A8EEF7400CB8FBC9,SHA256=FF2067F9D7175087D9830C904CF6519B9BDBFE890024CBB747CD9F5906A4C734falsetrue 23542300x80000000000000001535441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:02.972{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40895FC3EE34DEC7E45D5B678716090D,SHA256=C117FB452CA1CC189BFB20494C73FC263F38C8D81CCFBFBF4DFE3D6D351AB6C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:54.824{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60623-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:04.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:04.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10D4068AE854E0501D953EC99136A91,SHA256=C820B343F068B0D1A957B3009A1DFC7E2868B3A6B41AC8E089D95FDA36FDBE49falsetrue 23542300x80000000000000001535442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:04.007{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE2B30A47DD6CDF7A8D9E5007ED23DB,SHA256=585A66FD6317522116EAF5D37BCF613A86C365F1C0D339AF0780E42D21DDA801,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.954{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.954{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6D9D0E9D5D9655D4DB98A04EC5124A0,SHA256=9B22130A32EF12DEF762823C5434CB3B7EEFB43F1E02CF3290A56167101F58E3falsetrue 11241100x80000000000000005428261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7516E774196951AEFC4FC14219A00C4A,SHA256=C089D0A1039E5ABB33A0749D8EB35E3AD51FDE94736695023339C3446AF6A99Efalsetrue 11241100x80000000000000005428259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8C9DF075AFD1E67A9CA1B5AA0EF7FAA,SHA256=ACD103F79694C92315D9E430FD95DCC9EF4C4E4F498E7DA0229345C15F60A187falsetrue 11241100x80000000000000005428257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D560AD9D0936E9159D4A39D1097A05F,SHA256=2A63C98B8201AABBF2F4D620056CF96BD533E2728AC359F09355369E595E7F16falsetrue 23542300x80000000000000001535444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:05.780{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E21D0F8811C73FA330965CC33DEF3C2C,SHA256=F5A4931A7F381D8F30A08ABA2FD170D9DD722D147F95E72996EE3AF5115780C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:05.009{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6168DCFBACD8919F34720C2A19C2AA98,SHA256=72E200E2122FB66794D01FAEDBADD5C144B0C1AA33DF790EEA28028374CB0467,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.391{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.391{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C7B8155E733C176F3AD8E79E6ED291,SHA256=4A85AF2A28EFA2C276F9A6A1EAAFADCCBD197DE39BD6BED66BB4A9A4E942775Cfalsetrue 23542300x80000000000000001535445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:06.027{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBB0ABE2CAB539E774A99CD21ABB96B,SHA256=758E6468AF8B11DCD099B7485418A6B5CE7E91D460AFD7134A1E29AA2E6866C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAF5E0F21CB00D1D4591F1FF3E40057,SHA256=4893FF344846BE65CDCBAD49DE57219AAABBFB7E8DB7FAD1C8529F66B755707Bfalsetrue 11241100x80000000000000005428269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39446940A7C870E33B0BF357C0E691ED,SHA256=1D629A30C29D9997D1AC915A542360F5346368FAB0ECBE589DCBB84450F1EFE0falsetrue 11241100x80000000000000005428267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4651A36E547876268FDC20153501380,SHA256=53214BDC5E36B9653F063762E46D62333D769FCD6979BF509F599D6D9888718Bfalsetrue 10341000x80000000000000001535451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.662{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001535450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.647{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.647{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a4cf0d0.TMPMD5=D01734B513C185F70D31918B721F4959,SHA256=42EEB2A2D24121428DB1C3CED6B22CD4D28DD42208C27788AE4A4B1C5C2C9541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50CEA71E0F550740829D804F574E6D3,SHA256=2C4936B45E9BF3ECB3460ABC300DDD854F947EAF26346CF94110BF66659FB52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AAD22FAD55E4F81E2AF4AFAA8044111,SHA256=5EC43168F921FB37E931D43EE5237FB8AE696A0DC0B207F510CCB94D6A689DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.046{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377A293F4F4699AFCCFDD20EED69AFE1,SHA256=CA0F637805CEC9D701BA4A10BB2672142EDBE514BF92E40506D29EA9F55F9A0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:08.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:08.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CEB9D56059C75A1DBBB6F69903E59D,SHA256=EA6F10D254CAD5760E49D1295C89E3E8649FEF41EE8905080F0326D486390A72falsetrue 354300x80000000000000001535453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:00.755{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60624-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:08.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48E08FFA40730191D49E3F8914438D2,SHA256=2FDEE4D4CADDBDADEE946E2CC92DE5C44C55FA637EEF64CB7CF30682A2AF6CBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EE7D4E91BFB1AEB15011596ADA8B33,SHA256=680189DC2A5BD2A8B713C5F159574701756BC9190103C56BD42BFCE8DDA801CEfalsetrue 23542300x80000000000000001535454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:09.068{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FBD7D29C781416F450F27D02DD7081,SHA256=FC0E08D3A6BAF9A774FD727433EC592AA4AA6B907ECE353E385E75F68E422609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:54.740{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63380-false10.0.1.12-8000- 11241100x80000000000000005428286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0059BC91078708BEE9079E69DB6172E5,SHA256=81F3072D84DFD7F45EE0902125BDB5CF6A0B521920548048050DEF2FC1B2920Afalsetrue 11241100x80000000000000005428284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1525CDD5ECCDAD745D4B65F46841E48A,SHA256=802443AC42331DAEE3CB81C85DFCF27476CF6C9A0B2194B2D28C396BE47E790Bfalsetrue 23542300x80000000000000001535455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:10.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFF3CF53E4EEE91EEE2CD6FED8CD796,SHA256=FB916DAC36226BB263997D2930EA643FF76059314CC1C3AA9C1A391CF481905B,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005428282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:12:10.209{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005428281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:12:10.209{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005428280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2674BDF3231EFD57B4B797374ED254C,SHA256=71C3DDE062593A102AA62B8126072F6E421E0785F6D51CBA62428494F594D5A3falsetrue 11241100x80000000000000005428278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46BE56F109D4FE138BCA8A1C6B25240C,SHA256=E38A8B40A7F6345FC7DA9BB91C35BA4EE19751A076C4A96ABFBCB35377F1DE4Cfalsetrue 11241100x80000000000000005428290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF0C17445037E988E4459305ADA09B6,SHA256=DE297DA6155C1673DECC2E2466A2E991E5119A2A5C2113D45511D6569B69A934falsetrue 23542300x80000000000000001535456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:11.074{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785C6D05BD6EC6BAECA02DBAA8E1B12D,SHA256=99BF47751C63C05EC678AE860FF6930ED5BD767ED4BCAF4F844A48E662B3C27B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAF5E0F21CB00D1D4591F1FF3E40057,SHA256=4893FF344846BE65CDCBAD49DE57219AAABBFB7E8DB7FAD1C8529F66B755707Bfalsetrue 11241100x80000000000000005428297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2D54B7F361B1E4B2466237742CB52C,SHA256=DDFF20E6220427B1878DDADB8CAB26A2C35A115A63A5F9BE7E26ADA134D839F2falsetrue 354300x80000000000000001535459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:05.785{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60625-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:12.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50CEA71E0F550740829D804F574E6D3,SHA256=2C4936B45E9BF3ECB3460ABC300DDD854F947EAF26346CF94110BF66659FB52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:12.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF757184A87A1FE2649E09AFFFCCD6D,SHA256=DF0E99DC195B6ECA8BBC2F70D6BBABA6571E98E4AA87C276F3F6D81742591B42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.862{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63381-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005428294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.861{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63381-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000005428293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.057{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7179MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005428292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.056{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71792021-09-08 18:12:12.056 11241100x80000000000000005428291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.055{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71802021-09-08 18:12:12.055 11241100x80000000000000005428302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7223A248AF68B9AB4A02CFCDA144F848,SHA256=3515FD589034FC22FF03EF7BB3D0476C679047CCD75B6A5FCFF871A7E8BD142Bfalsetrue 23542300x80000000000000001535462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.982{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A933C5BA92AD61FB93F09B36DDD714,SHA256=B1E78AABBD6BD61BFB10ABE6085445E57DE2CBC61C0A0C520C13FE09715F24A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF58F69267F86352252EA14B6C02F77,SHA256=90F6E621F352EC15E9AA2C3DEC29CF764DB32113130CEDA9C266152749477166,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B94DAE20B5FEAAC52A31A971589498,SHA256=B6D02D336D66C278A2A4A7B397F228A87D29A9ABA7564AE1469EC93865E2BDB1falsetrue 23542300x80000000000000005428298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.070{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7180MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001535460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.000{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:14.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:14.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83782BC187E153F24AFA8A14A9B4903B,SHA256=B6773C049886109651C75A7395B4C77905D23E10C1A66F96DF0E17D3B52548F6falsetrue 354300x80000000000000001535464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.636{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60626-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:14.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BFA60A94EC8F319B05864D6341AC32,SHA256=BA14C5E61BBE7E0F9ED6D8C3F288858700A4C202C06F7F1F481224447C0F8C37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:59.847{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63382-false10.0.1.12-8000- 11241100x80000000000000005428311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83AFD2C5B35093C82A11EFC6009D303,SHA256=9C93331E714B0859203B9E5231B345701F06E7F1259ECC6AAB6832EC63A94971falsetrue 23542300x80000000000000001535465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:15.121{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3447822F9B050B78AF198A4FEA9C2F29,SHA256=3DE51F25B89C492731A34EE11FAE1B5DDA4023DE56D48B49ADE2221C05A3A8C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=632C2DB6EFAD119F7D26B544F3F7E471,SHA256=329996EEF2421474F1CA5219C217162846B49B43AED7A8AA2EAD1D81748E9D4Ffalsetrue 11241100x80000000000000005428307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73AC51F5EA55EEDC4FA5EFCEA84F7845,SHA256=5B3987EFDD9CCE4C77128BC00C78D77B36A41C470C963FF51BEA9C54C2940A8Ffalsetrue 11241100x80000000000000005428315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36CD2922863345954954F296926DB72,SHA256=E51CC8B0A9DB88491C0BD045002F77D70CAEE3C25481C179353F40CF8828B69Cfalsetrue 10341000x80000000000000001535474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.990{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.973{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60499E010E0DE3D5949284033DE1325,SHA256=7777229882D64B342333D1F0F0D4D0CC43A4C2E19E1EBB1BF4F5CC8ACCB31679,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.039{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.039{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=514CAEF299B67869A6717FED6246A0C1,SHA256=865B386893AF458A3D3D6057599D20845E4D8B4911F405BBC4B662E971370FF2falsetrue 11241100x80000000000000005428317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BADAFEFDDDD2D552A31484D5E7BADA2,SHA256=459FE8B51DDBCAC7760B5E8FF1AF57DE3648E4BC07EB0646FC77A085FC7B5955falsetrue 23542300x80000000000000001535485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.992{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62A0490A77D643E1DA966F8B5C812B68,SHA256=1C71A66E9C9B3949497837166DC1B7A4FCE0EFA64BE6F0E543C42464665985E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.511{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7117D8D832C479A6ECA4BFAB94DA261A,SHA256=686188C7148BEC8E8C3803E8B7EE00A15271B15D0B8AE048CC7C792A8120139B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.109{AEE49BD1-FD00-6138-32CE-00000000F101}14964372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005428323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D37C7738449539FAA9B6715742FF6F2,SHA256=2B353258C570B210B36E837EEF065A72B5DDF254DA8FE50274B8661CE8F48CD6falsetrue 354300x80000000000000001535495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:11.784{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60627-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87E0E6D0A6AEE4E3695843054B90D88,SHA256=AC3F70FE7F1B433F321B2D41866D3DB4158D06ECC82B823F0686E3433E11C684,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.111{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005428321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEE8DFD9459C7FAD39769320E4098E83,SHA256=699B91E593F1B815146D5649C654D4D0066E6EE525887190629E9F2872C238A4falsetrue 11241100x80000000000000005428319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60E5BA48789AF47463A312D03E1C34A5,SHA256=49D2DF23EC4F6E7DFFFF556D1BF257DA7591ACD543CC9A3C56FBC87121B639D6falsetrue 11241100x80000000000000005428328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0EA793DE74B934C6A75C2EF868BFE7,SHA256=3DD7707C164130A44452795E52BF11CC9BF153223D9EEF347F5699478E8D8456falsetrue 354300x80000000000000001535498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.201{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-296.attackrange.local54998-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x80000000000000001535497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:19.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB447974B9BE72384B1B20D4E590A0A,SHA256=ED62A928CB02B041F27B627CF0E45E77231952297DD8E9D0980ACE455430A270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:19.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4FECD585CB7B33F0D6590F2B6F702D,SHA256=E05879BF45CA6E3451721811926A30D2298F072468396EFDD9EA2DCAFAB5ABA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEE8DFD9459C7FAD39769320E4098E83,SHA256=699B91E593F1B815146D5649C654D4D0066E6EE525887190629E9F2872C238A4falsetrue 354300x80000000000000005428324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:04.894{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63383-false10.0.1.12-8000- 354300x80000000000000005428334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51686- 354300x80000000000000005428333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54998- 11241100x80000000000000005428332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEA1E36602059A360ABD6C78B3B472AA,SHA256=0A04D6E61A3562DE3236A80717593CBD840D5EDF6705F291A1D579FE6628B1E3falsetrue 11241100x80000000000000005428330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1287F4A02C2356CF9E0FFA2108032A2,SHA256=965EE0CE3AFA1DE235F271E0864858B5097C6BC5B7F059D2923B92B66A1FB290falsetrue 23542300x80000000000000001535499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:20.129{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16041ADD0961C873BA7E3FA86BF806FF,SHA256=02563A19ABC5D777AB15A10766CE6A51A32D01D0F877FBCC5C0CF076CD309E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:21.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D2492DCBF4AA9824C3C894A67D6E30,SHA256=EE4141369C928A8F01A4DAD064339301966392AB97D77C91DA4A068664C16A29,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005428445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.976{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005428403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.945{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.946{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005428394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005428393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.289{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005428386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005428384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005428353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005428347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.258{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.086{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.086{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BDE875D7170388C5E3CF886A78B89BBD,SHA256=05E922A720C7FE0649A80168503F24D2651A9F893A1FD2675EAF1AECCD561962falsetrue 11241100x80000000000000005428336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.008{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.008{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301AA4F3E126C8B9311B37AB75D0AF6A,SHA256=A63CC1EB536638DF82FF4E93CE3A8B63F3B08B6CCE719410E0EE43628475A3E7falsetrue 534500x80000000000000005428512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005428510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}56848044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.664{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005428465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.633{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFB2842D95C4477258A3253E41CF566,SHA256=75820C475A093955E57BECF5877EFBFFE457504B2164E6BBB5BEEA8D11F66DF7falsetrue 11241100x80000000000000005428454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAAD449E7883BDA20D91121FDEE792B,SHA256=F36A6DB0C3E88B49C2A2A43A93664E0281C2159A663DB5A7F2816501D1058256falsetrue 11241100x80000000000000005428452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D1F7AB8F0A2BE14407A0A9F0755772,SHA256=7BBDB9A900EDD76343C9A07AD5E25CABCB88C2B9BB59BEB51D9DE13E3BA69F7Bfalsetrue 534500x80000000000000005428450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005428448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}80523164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:22.135{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48F5AC4FB2A660A91DEDCAD115E4AE8,SHA256=97E5D19954E641CCC9B3C95765D7BF8C26362BB21035654D110CE250D47E8A98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.909{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60628-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:23.253{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7067FE39D31BFC90A655471AD95A890C,SHA256=4555EA765C02B2AEECFC2244D00F89F2E236DCB3EAB1F3E63B591966D4CF5F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:23.137{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0189E1CBC305666D106C744F6CEAF562,SHA256=2EC38651796D24B4468D404885BA98C000CD507FEA37C3E4DAF827C9F22C8EFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.805{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.805{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B4D00F39575064F77EBF42F972CFE24,SHA256=17C956C2B68CB2FA6BB7611FA9F0C0C1BDE5B3B6C1A383BA21D2B208ACC46D1Cfalsetrue 534500x80000000000000005428570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005428569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}65043716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005428566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67860277EAA61241EF414B438AD3AB9,SHA256=4271AE0F016E4BBEC826012062C4256C17F6A2052FDAE3F0CEE6C2635F5F1E3Ffalsetrue 734700x80000000000000005428564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005428560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005428558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005428526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005428521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.320{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.321{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:24.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58CDAB1341733146916735426F24BA0,SHA256=06181A435AE261E61D05D9BC7F7B836994A3F189FACE570A14E274E4E6F7F553,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005428693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005428692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005428685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005428683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005428678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005428655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005428653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005428652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005428651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005428647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005428642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.696{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B7AD866A22A0F2F27C519F085415A3,SHA256=66FAF3ADE430F07239B010BF69307493EBA98759A1E15A6C6BA4A135847411D8falsetrue 534500x80000000000000005428631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005428630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005428629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}18607804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005428626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62387DDDCE159867E48415E8B1C2F897,SHA256=278C20DB2719CA7F52BD2CB8DFFCA42D75D27D2FF97F452EA70F6F1D4B3C5AA0falsetrue 734700x80000000000000005428624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.039{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.039{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005428620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005428618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005428589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005428581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.008{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:25.157{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B994017F07711E6BE010CF14CA65A2,SHA256=DE770AED9B563A0BAB4440E84B5C1D17C6F800F7C0A4EEF5C63143A59BD7267F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.676{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63384-false10.0.1.12-8000- 11241100x80000000000000005428760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.461{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.461{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BAEBE88918138330CAF00C50384ABB,SHA256=D39CCA186A3D795B17E6821DFD833F3964F1689807D72D33B71F2FAA5837D060falsetrue 534500x80000000000000005428758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005428754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFE4C8E5DCEEDB89DAF86B82346DE621,SHA256=6E308B908318326FB216AEFEA0BD6C382D3260D36FD2D726FB6655D045F591C0falsetrue 11241100x80000000000000005428752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D3B2815E7F75A488DC56B9BE5A8B79,SHA256=E7141CB936F882F217B5540CA7866ADF8093F9089BA6B9F585D3410982891262falsetrue 734700x80000000000000005428750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005428733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005428712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005428707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.285{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.289{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 18141800x80000000000000005428703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5A244BD96981C56F98F6166D3FDD747E,SHA256=8B36526DB2EE89A57777570CC90A6EA74D55C6145348D9532917245A6862DB9Dfalsetrue 11241100x80000000000000005428695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.023{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.023{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05C7E5DBFDC2CA75E3A2A9D4C2C08638,SHA256=BB87C46DB1CD4E0792E5F55F97101B4DF4AF35D06774E7240A743021DDD809B8falsetrue 11241100x80000000000000005428767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AF07967C1D8FD5418886D47567192F,SHA256=7DC71BEC9E72DA2534851016DDCF0E44D629B962E2BA9D28080AE12D83A9A068falsetrue 23542300x80000000000000001535507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:26.160{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA373390B8880E5C1CBC3E59F5C3B674,SHA256=279DA397E7F1AAB10B2601B2A3093FA277AD0C99BDFF7D1B64EB013DD8A9396F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=310547304F5983AE3435EED10E91317D,SHA256=230AE4C664B0416F2907746A06227B1B095974A3CD9D53D7ACC8A8C44A7983CEfalsetrue 11241100x80000000000000005428763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=670971079ABDBDD5BEF5EB45B75E9ECB,SHA256=748BDF01EBE3F7F842CC664E65543EEAC0389A16C5DF8AF9CE5F01CB1E99E884falsetrue 11241100x80000000000000005428771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EADD22E8E79031D861B70D6E99CCA01,SHA256=3EDBA8CAE1FC7FA328027F39C4EBF307D39BCFC198054347C3FF5BCE1430F269falsetrue 11241100x80000000000000005428769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C27323CAE7E9503A6B970F23328EB0B,SHA256=4E2C332345037650EF0E046B8C874C972A9ABF1664C1786052093CA0B7A09012falsetrue 23542300x80000000000000001535508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:27.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2FDB3E08BEA80B6EB7C247A342EAC8,SHA256=B209D34EAB7A3E833525D6D6753BDC6A63DB6E691DF689E049D1991660AF7827,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:28.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:28.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC3AC532728F6AFEB42CA184B2B5E53,SHA256=5025DA6CA9FE08D1128E07035CD0D096A3A3C3717A59478D5EEFAB5569880C87falsetrue 23542300x80000000000000001535510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:28.568{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7170MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:28.165{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC1577A119F11C01ECDCA6D8F9EE3FD,SHA256=877493E976848BA824538DFB799421B7FA3D4BA920FF006FE98ADCE0BF0B6919,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9DBE9C7B4EA6940799B2A8731FACFD,SHA256=B8A8BDF266F6C8FBF8F99E6C46938A3E8F6EE416E2489685ECBB5DEDA7AB3864falsetrue 354300x80000000000000001535515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:22.674{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60629-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.573{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79DF5C0C08CF8DCD70E1B8BC034265B,SHA256=C8E88686BCD2F965D5BA492BB685BA7D49EC69E899527F38F24C09E77613E94E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B29FD0E0F4E35D54199BA79E231A5B72,SHA256=994B8F40E1CB20C65539817C3FEAC18144B02EBB9102937F0E58AD692A9BB62Efalsetrue 23542300x80000000000000001535512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.018{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC37A9DAE9A28F70758A396FCB08A5E,SHA256=C841903A0C754C376E1F0E89BC899357CEE3650B99C2364FE25B0F088024ABFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.017{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=443108A683C762C32E88A5657A913E06,SHA256=BD2BFF0B991C318B13E0334097533A1FF669991E3975D2E7A9EAC6109B340589,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149F199948BEE772547E7CCAF56868A1,SHA256=26FEDC785968A1200D5AA2877F4E331DCDB4EEEE929BDFA0ED12F369FE66C785falsetrue 23542300x80000000000000001535516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:30.171{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF439ACC3BA3C0B330780014EB781FE4,SHA256=2F5E7DE5FBA0B5225F25508BE4CAD72D0EC01813AF2EA5D786170E69C5EABA89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.908{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63385-false10.0.1.12-8000- 11241100x80000000000000005428783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB8AAEFCCA55399D8F38E3C89DEF6A57,SHA256=54DC69DC5EF006F59C2B842B47C2141B5110909C331062977B65831A8F144B23falsetrue 11241100x80000000000000005428781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=245472076015579A99C6B8F1C43E2691,SHA256=FBF7DAAF3150721DA24DE770E38804B812A3CEDEB0211EEC8162BECA64021B68falsetrue 11241100x80000000000000005428779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.241{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005428778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.241{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FF3EEDA58A4058B3ABC945652FF65508,SHA256=713CC2391ACD62E62D5DEF8BBB00C4FA1FAFBA5F09DFD274E5B951C17FE52275falsetrue 11241100x80000000000000005428790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C083C6E90FD28CDFA2DF06F9F79E70B9,SHA256=84E18E2EE6191B9B18C22FEB087EA2F8EE1FAB2CAFF250CBEE8A2FFB5025A232falsetrue 23542300x80000000000000001535517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:31.173{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22259461693C363B6A844905A3322201,SHA256=6C6863392451EA0E00FDBFF1D8ECA15B2CD2C9A4AFA2ECD983CA057836B491BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=091C861877C19D3AAE8B8A065150311F,SHA256=385B522B6754B3D0247C7CAA30E3679BDCFE4AE144D51166B054830E09349E1Dfalsetrue 11241100x80000000000000005428792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:32.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:32.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748E0B647C64625962977816228A7710,SHA256=14F0182B132EF251AD2EE0AD0D11E7F5D592A4DB3C5AF911E358A1D79A1EF65Afalsetrue 10341000x80000000000000001535527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.607{AEE49BD1-FD10-6138-35CE-00000000F101}37885936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.476{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841820465FD9AC072819D81ADCCFE629,SHA256=CC219466900DA3247DE4E9C2325F7DDC231F902F237ADFC33AE30B5DA8B90595,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:33.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:33.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807FB9B72E495E627A4D23B8888E1B47,SHA256=F2E17D52A4706E5D53D23EA788D5A7BB95E5065364CDAB5B014880E28C2CEAEFfalsetrue 10341000x80000000000000001535547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.978{AEE49BD1-FD11-6138-37CE-00000000F101}3076288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.847{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.708{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC37A9DAE9A28F70758A396FCB08A5E,SHA256=C841903A0C754C376E1F0E89BC899357CEE3650B99C2364FE25B0F088024ABFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.325{AEE49BD1-FD11-6138-36CE-00000000F101}32845808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.177{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.177{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E79F8257820EB8E49068734E2142E68,SHA256=27AF8431588634130E30923BBFA1B0DA1D44446BEF683CD5CB31BC719523AE75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:34.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:34.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCC7C1A7E5427C7450BE65DE92CEF10,SHA256=FDCCF717A0D8AF276335E207F65B990C12691A4D176ACCCC335C94784CAC4A66falsetrue 23542300x80000000000000001535549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:34.894{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B550623355EC2F1A680B048A0053D2,SHA256=ECBE4E9C2CF667C1A7A83D6B5F2316A92F13D70C20CBE623A73708735B0C6546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:34.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58824249C13D479CB32695F197928961,SHA256=E2DF5F016FD45E25850A3CD2EAF6C601448D0EC9C51AD1256BFCC80B40163CBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.830{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63386-false10.0.1.12-8000- 11241100x80000000000000005428806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AA483B347BBC3A7135B17EB0E4151B,SHA256=8F076DEA5654419D6D9CE1437BDD3804CC1761EC7E7072B43BDA9E4BEF2C3BB4falsetrue 23542300x80000000000000001535551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:35.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FD0C94911772E07C0CE543440F6496,SHA256=A254BFEBF80F806B571B3E8F76A44EB60FC371B7AD8EE6928B890684FB174DF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A1C6F32E541EA23481D456AF7CF9593C,SHA256=36567C1055A749890EE5222B7F0F15C61E42CF71E909C3ED9C0D7DFAE879597Ffalsetrue 11241100x80000000000000005428802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F0ED60E578D40EB4534A81F420647240,SHA256=D3474CCD3182BC527E7A57315EC0115B85E82EDF1ED460B7C1C7813884C0F3D8falsetrue 11241100x80000000000000005428800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD69F36ABFC38B64C891BF496F0D602,SHA256=E86B85DDE036B3B1B8D73A525C3A26E330812F4EBB40C0E45639B1F4C4246070falsetrue 11241100x80000000000000005428798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A042C7F62413258DF55C8379CDE1411,SHA256=039F8977C0F85F14BBFEF0A15284D71B29834EBBFC58C79CE55ABBCFDC7DE608falsetrue 354300x80000000000000001535550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:27.823{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60630-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056DF49AFA4875D4E1BA90E4A932A57C,SHA256=9744A8ED93FC243258B9D580FC4027E0A6DEA74F36C4D9F91950BCACF13C073Dfalsetrue 23542300x80000000000000001535552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:36.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE54066A7E9F2FDFA2DD415A2A7CD20F,SHA256=741B558FEBB851C02E3E433E84217CBF5EF340A5FCF3C6C85106E183A663844A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F021F043904B5556C532EB55E3E4B55,SHA256=EA292E5CA143A727EAD168AE0A7EAD3B42ECF1474C2B1D0533D5101BA81FB633falsetrue 23542300x80000000000000001535553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:37.185{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D123E537D767D9D74D2D61DC7DB01AA3,SHA256=AC4D145A3AB7EF83BACD1628AA3A3E8D0C55A44F9179717A603830CBBF82E4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:38.188{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEDD5CF59A0B4B31DE90F4AFFB0E906,SHA256=BE191175C0314F95220A5537FFEE50CD5AE251ACF479068A3C8B6B3A9809A3E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:38.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:38.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6458095C98A9F5EC1FA81818E25F66,SHA256=F5CEC19666F22D0A777B205C486690BBE4761881E64E32A517B686029C60DB9Cfalsetrue 23542300x80000000000000001535555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:39.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96B5E629F298C57AEF84B6B5D352651,SHA256=8C0C7B073BDAF1F3ADA86C42CC41C9B6023654A1CEE13F8D7A6CC462241A1F3A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:39.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:39.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97107FA704170C9024FBA678462EC3A4,SHA256=4F1C8468772EFD4165F4D271DC40C68EB6AAE96949E807019E0E8ED6B89B8D86falsetrue 354300x80000000000000001535559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.749{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60631-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:40.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53153F7715722FD59F01907004C9E3FA,SHA256=288C0B45FB40CC9F631D6C6AA2EF7EA54541727C8D43D8F2D6F8B7D88DC6DFCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCF1EFE799A91D33CFE06BCAD228DFE0,SHA256=475619160CF51D24DE2024D2EBD93CCA8F0126D7AF7B4D0D1FFC5EEE086EDF44falsetrue 11241100x80000000000000005428819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B840AB0986551769FA3F88CBAD6326DB,SHA256=5E973A45CD693D4F348A796CE476B4916F27701B71E08BE163986CB2816A905Afalsetrue 11241100x80000000000000005428817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A979B4B47B82261C7B43F962E2E8C3,SHA256=9662843B6B5EA3F65FBBC2C9C7A3EEBC7163ADD6EF5C0784A6DA0CAA11F617BCfalsetrue 23542300x80000000000000001535557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:40.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8C2F6A3F5259204010413A37E356BB,SHA256=7DC8513993593A62E553139E0E686B73D817B9F8E721CA96D9072427DF46095F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:40.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA9634996EAE0522CB949E1443B07438,SHA256=1B1910D62F191E1B6A0AC72BA3330451FEBB5B5E98994DDCB2BAB99D20CEA4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:41.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE3E35B1EDD09B30EFE1B169FE9D9FF,SHA256=CCD9D8E0C882943CA1AA2A50E9754227B171C9F6AC66CAFD7BA13CCC747E312E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=133845594A5D919F7CDADFA52AC2AD92,SHA256=61FDA2EEDBF0D436AD06E87E8F090FB94A0F9282E537218162C90982CE1D0DB4falsetrue 11241100x80000000000000005428827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8B66CC1C41310A47FBCA7391CC5D5C,SHA256=0469783620A1FA7BFD494D8D4617D44DF91FA03B71CC48FD1111ADCCF12B072Efalsetrue 11241100x80000000000000005428825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD69F36ABFC38B64C891BF496F0D602,SHA256=E86B85DDE036B3B1B8D73A525C3A26E330812F4EBB40C0E45639B1F4C4246070falsetrue 11241100x80000000000000005428823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB590334A75BB34A0B242D47CBE26F6E,SHA256=059E9FF67405E3180F1F8C87DFF14984C81BF465D810B1AE5D4F57E9E02EE9C9falsetrue 10341000x80000000000000001535569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.870{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C7377A14FD4A7D7C225C57EEB93633,SHA256=C53AB1DF24830306A6E6EEE48CB797D2A2BE4B3042B11A27BEDC405AA46B1777,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8B66CC1C41310A47FBCA7391CC5D5C,SHA256=0469783620A1FA7BFD494D8D4617D44DF91FA03B71CC48FD1111ADCCF12B072Efalsetrue 354300x80000000000000005428832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.861{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63387-false10.0.1.12-8000- 11241100x80000000000000005428831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015FFADBD366DCD0690D66B6D22ED17F,SHA256=EA067CDFA159F9F7097B17E4949A3CBF2CD56C40D3DD6C8957FBA2A7739D25F4falsetrue 23542300x80000000000000001535571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:43.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8C2F6A3F5259204010413A37E356BB,SHA256=7DC8513993593A62E553139E0E686B73D817B9F8E721CA96D9072427DF46095F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:43.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127E0F2D32051C1FF34ED5DEE5F98007,SHA256=33F3F152B7D459015DD9BE9569C55484B357C7EBB5EC46B057C2A682564AB2F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:43.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:43.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EDF74BDC5C5D52EEC2272E13148D8F,SHA256=F641918456D854B18B17C6AF495F4F49408B14246354A10EBCEC98873B874080falsetrue 23542300x80000000000000001535572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:44.204{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AC31E3690E3CE36BC2D30B0F4964F8,SHA256=CCC9D28B2CBA20790BC9C23680FDC6489BFF6293432FA934DEF795452C35FA5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:44.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:44.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6294EB95311E50601A783646E1C32CD8,SHA256=06E7981BCB0B2A4CB6A637CBD78CCD846219A7157F28CEFC31B18C4F725BC83Dfalsetrue 11241100x80000000000000005428844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C985F9617AC9E520087E8F2F79C9A16B,SHA256=2F222E895590EB9D6B80C7C5C90D7C1BA987B243BF59A9F2EEC9CBF85870337Afalsetrue 11241100x80000000000000005428842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=69986431698E3207BE00F21EDAFBE6E3,SHA256=DBF46817616D8FDF8964F90FF9A96DCAE1D331FCEDB84FB7197BD24AB57717A6falsetrue 11241100x80000000000000005428840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2F3D1119870944F728233117C386F0,SHA256=2869B98C3E210DF73268345D413EF4A10651881AE33EE25933FFEC19A699FCDBfalsetrue 354300x80000000000000001535575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:38.762{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60632-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:45.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD357E28D8156EA9BFCCF1DAEFF54F80,SHA256=FBB760CD2433973C6971D5D84694FDB390B90C22DB8C707D074DBF2E8548BAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:45.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB04D320738B9002802A152C8DE5C2C8,SHA256=9C51E5AAE49EDD4EB37C96A516FF0E77D4B674B9BBE8AA81911F300D47834E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:46.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46764FA6C23D20A0625D275BAFAAEA26,SHA256=2AFBE3236C10335995F12B953E400958CF1352139D16FD751CE115E5780F5A45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D44F2FAF762CBA157657171402FD6959,SHA256=87A9566D4FCB1709A81C5A6A93470176801ABE7DF371EFF5F60EC7F242BEC715falsetrue 11241100x80000000000000005428848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681AF0CB293FB38D97371BB89BA24EF0,SHA256=039C2C4635D9B5FA4A698C1B727A39BAE6921A8ACA1732D233BEE920826DE1F5falsetrue 11241100x80000000000000005428846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFEF0E9A9B15961F5FE9A559D8B3B43,SHA256=27E763DC23975E1942927F142C88C983E8E88D1C72613121A98BA74828C26B9Cfalsetrue 11241100x80000000000000005428855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.637{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005428854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.637{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 354300x80000000000000005428853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:32.892{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63388-false10.0.1.12-8000- 11241100x80000000000000005428852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4D1FB1C62A35F60A1B56850059EAC6,SHA256=0C7B369EECAD6CCFB77F0D29B94ABCFAAB1A2054864A8DB1B714B94BB8F4632Afalsetrue 23542300x80000000000000001535577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:47.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE16698C02D77C7E765DC5AF87063EC,SHA256=FEA02029C8E1B0D0048E2231F85242612CDF27896C8380F5CF4C041BA212EE08,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E536AA6742B892AA9186922CC900E4,SHA256=72D773B345977957965E54EFC3DFCCA8E7BDADC8E3823F782EDA5E606B6956B9falsetrue 23542300x80000000000000001535578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:48.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9635F48E188B172A85035220B78289C0,SHA256=7560EC2A20F2445DA013F4F016DA27B24D1CCF39B36FF42AA4AD08146382B0B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE9E60807532A9BA7862B70B7C71708C,SHA256=9A3EB9A7BF8E07DAD24348447F8AAB6A1BBBD8B8F2B39A049E254CDBA525A51Bfalsetrue 354300x80000000000000005428862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.273{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63389-false10.0.1.12-8089- 11241100x80000000000000005428861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:49.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:49.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441ACB2038816A94208172E4F87AB006,SHA256=A15CDC00989B1576EC8885CB10436593ED59A6EE5ABDB6A109FBF6295CE37BEDfalsetrue 23542300x80000000000000001535579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:49.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86190ABF82779B234513DDB5BBA7F645,SHA256=DB9511E57C740D20417F259C3E6C9D8EFE0FC29B413ACA5F93D82A40CA6BBC29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:43.877{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60633-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A863FB3E465D89B8D9B9A4DBC7DBD888,SHA256=1943264A53D155F033F053EC2CCE14BD509F5CCB987686DF1F4F65C9ABBA5816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A42C9E9929F60FADBA504DCCCA88D9,SHA256=3F21F58C4B4D70472DB24B1F1103EB6788FEBCD18AB01AD1017E57A41ED77376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1015430F4825821135810F716F45A32,SHA256=38E3D8A961D66F55E4E6959C4386D0FBEEEDD4B64B11C0D2A949077FE01745CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9F274EA9F76C4A6B2B3B13C62431245,SHA256=F3EA32C21FC4DB60F5AE9EA49EB66575550702030032DE162999B9DCD05334F7falsetrue 11241100x80000000000000005428866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A20E2F18E2ED770E28E5E4A3B18BE9E0,SHA256=115E362CEF046FC39EC2B03054A2304AA6BF3C411853826E90187FB1D4B223B4falsetrue 11241100x80000000000000005428864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DDED4E82EB3188A504AE32F749367D,SHA256=92319210785EE3D27AAC929DBB00A4C14B37758C364C2C874BAC842B76E59954falsetrue 23542300x80000000000000001535584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:51.255{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0410EF908933461208F9EB0189B37B5E,SHA256=FC9FFB55A66FFC6E18DDA805AE711BFE6A5500449CCF0005162565DA76196C7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6944EF8ED648BAB3C2AE22422152B250,SHA256=9EF2B895E426AA8942CA18B2B6EFBDCC5B9A69F7460C431B9E890798EF2E70A1falsetrue 11241100x80000000000000005428870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1E702466177C95F54A7CA1BAE89449,SHA256=416221198D60BF1560A5C7FF30CBD7209DCE4DD96F6F1DA27BDCD1037F5359DDfalsetrue 11241100x80000000000000005428876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5335B3F454BA05A6B98B2114FE62F1,SHA256=BC97C81874223C76BFC560F55970DCD2A9452FF41871773AF2F3E38FFB93DA02falsetrue 23542300x80000000000000001535585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:52.258{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97996D386C60497DC1C8C05E87C62202,SHA256=D47B90896C802EE410ABC980BA6EFC0AE77425D850DDF547D3AB926CC5C24E51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6B42D54A45B0CD9CBD43AC80EF46466,SHA256=DAA575C00B34E670B9F427FE494143A31B7B1C14984D384298AE706271AF321Bfalsetrue 354300x80000000000000005428879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:38.663{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63390-false10.0.1.12-8000- 11241100x80000000000000005428878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:53.465{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:53.465{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919605144EA878B34D61BDB2EE2D5177,SHA256=C59F47A0912932A04507BF27D9F0C9268E9B15946AA8840B9B127CAE9FCD865Bfalsetrue 23542300x80000000000000001535586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:53.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50482EAB0732C20B755986D2A3F2B29,SHA256=99B6F94DA02CF74F6EC0D16BBB8E7F4FC0242443A5E302A32E5136D3C6CAF161,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:54.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:54.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3673824A2F0D2C1D1342893A65D024B1,SHA256=60BDBCFCE32044FF52CDDA116BE9CFECF9D8D87E865B9545B8EF7019CA114BA5falsetrue 23542300x80000000000000001535587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:54.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3644798A4DC3A2FBEAA4B76FD1656583,SHA256=7984F1357880BD6FE66674EF38315FD59930CFC9374896B4979C447F660B0A59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6149CB5CEDE09B783B7EB32BFE8B718,SHA256=F3B66B0B855738AA77BB96407AF2BEAD901DF02B778CCB699582BF82EC068706falsetrue 11241100x80000000000000005428885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98022B1734D4E3229ABC7E99460E1A9E,SHA256=274F76696539F3CAD0E3971C95EEA056A297CA2DFDADFE79F22FEAC5CD959E19falsetrue 11241100x80000000000000005428883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2149CA48289B0D81100BA59B8D83F760,SHA256=918B03031A84B442C819A55ACB8B062548222CD67EC80139E49E0EE28236DAFDfalsetrue 23542300x80000000000000001535590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:55.287{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F4881BC041C0487CA905B2124EDE69,SHA256=C5B6E4789E52CBBC293B989A1812C53FC9C5949A88C841896B09A001FE3404DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:55.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01F3528F463BDC206504A32E1293A46E,SHA256=6A03FB4CC645FCAC2394E3CD1674EEB81E1CD75C08C666F6460E459678669DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:55.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A863FB3E465D89B8D9B9A4DBC7DBD888,SHA256=1943264A53D155F033F053EC2CCE14BD509F5CCB987686DF1F4F65C9ABBA5816,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CF97479EF4E80A91C1012948305E44,SHA256=EBB2F66A9A87CF1279D1B985558765F40EB1FA55AC89031B563DD4A8C86086E8falsetrue 23542300x80000000000000001535592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:56.306{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5D09D4AAD21E766328E75FF1E34669,SHA256=2D2E1D1F79F271884C7302FDA9DE4B351919EBCF8B6FC65827E884AA969A0D0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF93E635753B9A5E5FCA0F985EE975C4,SHA256=35179DEA66FE7BE2AF5EAF46E7F81D0391F19896DA7CC426280829ADB239DE5Efalsetrue 354300x80000000000000001535591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:48.891{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60634-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAD3C79A573F29B4DE0E5E7BC6C0FE3,SHA256=6D70FC1C529DA3A917EAD58425673C7B12E28DBEBD6D378D268ECE51523BCA89falsetrue 23542300x80000000000000001535593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:57.309{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28DB5728C9E2A7B926D7CE12B410272,SHA256=3EBDB93D1D08AB7705D6B94C3D5432B245D13687D12924F882DD1DA2D947C6B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F64CB6304F92769E8CEEF784C5ED073,SHA256=DC86B90D72520BABC2070CBE6999B4AC71325B1D9652972D053D2FD16C9E8D04falsetrue 354300x80000000000000005428898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:43.741{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63391-false10.0.1.12-8000- 11241100x80000000000000005428897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:58.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:58.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77FBD47FC388C0E671EE8B05996989F,SHA256=67E1B907147833325C5D6A3436341FC40A3591542F7E1892537BFBD5F1D3C81Efalsetrue 23542300x80000000000000001535594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:58.328{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8D4E9ED43CDB73F8DB36C4643ABBA,SHA256=3B22DE256F9D9A127459634BF4AF55219E1BFE09A8432A7DFB141042CB2C1C3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:59.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:59.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AD116123300B4CB6D36237AF9731A1,SHA256=EAC738B17CC154A3F7BED82937DD1B28D8984BDCF79EE8DD07AC16ACC825E1E4falsetrue 23542300x80000000000000001535595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:59.331{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855EE0D8285E5D1A32CD8C628A8F2207,SHA256=7F2E9860E06FFAA4BF6F97DFB3E4EE8FF27EAC8B1EC3B8D56BC3F05907822FA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=130DAFF61192BB721A38361B71850A8F,SHA256=E4DBE7DA83B61A25B6820E4A72841BEF2CDD916931144730DE1326156AF32E29falsetrue 11241100x80000000000000005428904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF16C83DCCDFCAC224729C10093279AD,SHA256=9A7611E88ED4B822D821A96BEDCCE3F64461ECD71784F227AAA1257518FAAF43falsetrue 11241100x80000000000000005428902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6992FFBE49CE88B8DC549520CD8A6DA,SHA256=23202A966FC3342348237F2FBFB9BAFEC09004BE5A19437A6F3BFFCAA98D5D24falsetrue 23542300x80000000000000001535596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:00.349{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E64D0D71D33431E124CCB0F5939272,SHA256=802CF35C3A02E3850AC4061BC1E2A605FB1576E78FC7E29304836BDBC97A1649,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEEFEC873C1EADB6A4B6B9ED58E4A92,SHA256=896BDDE26608E71BD5C2B90BD597A17391FDB20C7F7BDACC8C66FB20ECA3D81Dfalsetrue 23542300x80000000000000001535599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:01.352{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081E30F6C9E92C612D205CB40578902D,SHA256=C48AB094C980C9499265D84D16F627DC0814CFFFE2BD1857BD88CC5AD5265FBD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A4C439CB4DABCA005379E2EA482F7E40,SHA256=3AAEF556DB01C4A594482FEAC182ABA5C7A1862F35B1D63FFA49AF7B05A21288falsetrue 23542300x80000000000000001535598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:01.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F6FC53918260C82EC35E965464E5AED,SHA256=8A10148E37291E988947366B07A04903861D967C56D788A6475C6D6ED6CCCC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:01.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01F3528F463BDC206504A32E1293A46E,SHA256=6A03FB4CC645FCAC2394E3CD1674EEB81E1CD75C08C666F6460E459678669DF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D681E35C350DD0D4420A729628F4BD,SHA256=6AB89CEFE1A46D76AEF78CAAB3ED256B397E8023A94642AEEA424A33C5BA4E90falsetrue 23542300x80000000000000001535601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:02.355{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9031B13E9DA10D99BD94701A2051B3B2,SHA256=59B26DAFC53E132CF9D8B7E3BAF0875AE6AB371F7AEE834BCEC0F1A7C824E2D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:54.776{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60635-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F983FB53473E955C26D5610BDD4F53,SHA256=B5A37EBCBBA046B7B417D351D00DC01EE4C39D18AB950C67C384BB27C82A9169falsetrue 11241100x80000000000000005428912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AB85CBAAC033A4106F396A788A4E68,SHA256=21D72030C591EACADA634397309218615E8E0B4F72F0FF766F500CF14E9B9EB7falsetrue 354300x80000000000000005428919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.897{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63392-false10.0.1.12-8000- 11241100x80000000000000005428918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:03.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:03.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EB8171EBBC738BF14799688FEC695B,SHA256=3C92F59BAD7AA12B652D268BEE3E70C0F5F949D23F633787B13BB5ECC32B4FA1falsetrue 23542300x80000000000000001535602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:03.407{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFDAA1E1405CB4809E349D9E8C7F01F,SHA256=99B0E90C07DAE46251DA3E5F8BC81E033973E56FC6D8F87532DF23201A7B1B55,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:04.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:04.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E136C03D95F6BEF59218F5715C492C1E,SHA256=2D2F888D3ABE2DB7B8A6D45014AAA97BC151D9C576EDC8D3A28BCAA1D212455Dfalsetrue 23542300x80000000000000001535603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:04.415{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED544DCDC5E425E1631C32B68FED109,SHA256=CA9147AA9321E612FC37272D3C3D069A8C4E84E3D59539A7B56D9E68E6250A18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB75D01F6E5CD1FA01E7091A8DBB838E,SHA256=641C7CE68A75EBC1A3A4CEFA0A4E20F385552892F94205E3B02734B02977143Bfalsetrue 23542300x80000000000000001535605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:05.781{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0074CC4CBF88373E4ECC5740C747077,SHA256=79A5A2B00DDE6695441907F52D07DB1F575C7DF9DA7758784B366CEB50296300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:05.433{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7905448584D26551F2AB81C47149E222,SHA256=9A75BCDB923A87ED00D94332BB8219C06FEAD3DEDAFD16472A41B99D80498827,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED82E385731635512997350150B73448,SHA256=3EE29BE133C7ACDC009F03066F5B9A88F9EDCDA43689662A488DC29C53670669falsetrue 11241100x80000000000000005428923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BDDEEABBC17F8534B9AFCE0972F448C,SHA256=7393874BEF80CF3CDEB82353964ACB74487BE3571238A6DEA55961B7DDAC63E5falsetrue 11241100x80000000000000005428931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97C51AE725751B6972781982F96191,SHA256=080D380344FC995A23C785B21117358B3A0F2AB507AD9F704186B9CBB247A058falsetrue 23542300x80000000000000001535608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.451{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17214C76FEB69518297BBC8F3C95AD4C,SHA256=65D4AAAF37404D6CBD18588B2F7E666F69E56A56962FEA1CE299DDE4ACBBBE44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D0EBACB9D0EA306F6562C6B8AC6FE812,SHA256=1A9134C543EF4DE384EE922AAD75030941A21761B0147AC8DD2CB5126A37AA07falsetrue 23542300x80000000000000001535607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.197{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A6BC1924696FA29090800A6E982D709,SHA256=3766A1B60C4A2C0E590AF4C310780BAE1155B2EB51EE47D9CCAA66704A80C463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.197{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F6FC53918260C82EC35E965464E5AED,SHA256=8A10148E37291E988947366B07A04903861D967C56D788A6475C6D6ED6CCCC73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5717867B4ED46AB09CAD1E7D36B6D449,SHA256=4EDFF17BBAA2C2FCF0582F0389DF21707F4BA2F9BB22A6A57AB3C61D8AD3BFEBfalsetrue 11241100x80000000000000005428935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F983FB53473E955C26D5610BDD4F53,SHA256=B5A37EBCBBA046B7B417D351D00DC01EE4C39D18AB950C67C384BB27C82A9169falsetrue 11241100x80000000000000005428933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466E220A4D457DC33CFDC9AA27869ED3,SHA256=FECBBBC4D2A5FED04C09F79C13F45C73A8505A5762659B344D179E822151CF05falsetrue 23542300x80000000000000001535611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:07.638{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\datareporting\aborted-session-pingMD5=2E220FD0D2D5A54AEBA99F5F19B7BEB2,SHA256=19C1CF57A621DC7EDBEDF1E0B1B43FA2507DA88E06CE9E002C22D64C6E24F07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:07.468{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FF5231D7520648F2F4C5EEAC6055AD,SHA256=15392966456554BCBB65D4DFEDD483E01CECB31C5B41E958C81C03779D999125,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:59.821{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60636-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000005428940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:54.824{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63393-false10.0.1.12-8000- 11241100x80000000000000005428939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:08.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:08.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E30B0C744FAC7808844F37FC4F40375,SHA256=F1937058B5FE55CDBB02D77F6A949D6DA4EE9A282FD3EB5270414B39C6AB4EEAfalsetrue 23542300x80000000000000001535612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:08.470{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBC02149076574F0F971F088212D801,SHA256=83FCF344E4CE7938450A3E511DBEA22E3AB18E9DF6F06ECCB47198741BAF4302,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:09.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:09.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF1C431D7F667933167B316C8A33740,SHA256=8C734FD3BF5A36676EF9FE5FCD4AB8AEB74DE9C9A5169AD14F353A656CF53ED7falsetrue 23542300x80000000000000001535613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:09.489{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660C53C8DB34D9B8DEAD653743C6CA7B,SHA256=6B02927F0B46368B2B16C11EF8CB6D201FBC1F6E7707395FDD49E223C943292F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F0D4DED698EA5C359A4C0AEEDAC3C9,SHA256=D03023DE41D36464D9B393E5BDC002A4F87F032BD0787B750DDB05D7D29D137Cfalsetrue 23542300x80000000000000001535614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:10.492{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB30752768F77D1354F80E09791477C3,SHA256=A9BA29A6402A30A8EA25DBF3BE3160C452FD62BB6DF3234AA9A3952F3DE29860,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E5BEE410482E09F7ED4A149FE74C89D,SHA256=6FA9458C775BC466493E26633D390F025B6B8B43CC023BABA24665DEB9BA7490falsetrue 11241100x80000000000000005428946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D072BD44121B0CE777010B6FFCA8E87C,SHA256=B5E9BEC034B1833186838545CF9A21F4F01AEDE68A35007D5AB946A4D0CB13CEfalsetrue 12241200x80000000000000005428944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:10.220{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005428943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:10.220{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005428956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCA5C35DDB721E34F2F9E0199FB9462,SHA256=F065BCBED3A289971C7363BEC6D22106BAAFA34D76269CE0F5FF9E8AE6627BCAfalsetrue 23542300x80000000000000001535617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:11.527{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779507FBDF355308C3993B9C91B5B48C,SHA256=8D41CAB7AB5F09A56112BDE8EB80E791C3D04548BE05C327CC437BC4CD037BA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6395CABE99EA936719FE9A8B9DD6EA4B,SHA256=BFA26076FA3D2380646DEEA2728946EA534E79E429D75A37F4B958AD562FFA87falsetrue 11241100x80000000000000005428952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.470{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.470{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5717867B4ED46AB09CAD1E7D36B6D449,SHA256=4EDFF17BBAA2C2FCF0582F0389DF21707F4BA2F9BB22A6A57AB3C61D8AD3BFEBfalsetrue 23542300x80000000000000001535616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:11.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053F3E8F21BC41AF90438948B105A665,SHA256=826BEEBAAE45778C7CCA9124F9F8B9C67BC55D548B69F46C2529DF3F2DB2D16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:11.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A6BC1924696FA29090800A6E982D709,SHA256=3766A1B60C4A2C0E590AF4C310780BAE1155B2EB51EE47D9CCAA66704A80C463,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:12.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:12.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD196D5E7B6C267D89EFB4C0DEB6E7E6,SHA256=5C53658C54F27777033A8D1C2BCB8BB1DA15FBF52584CC3D8A41209B3EADBDFBfalsetrue 23542300x80000000000000001535620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:12.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053F3E8F21BC41AF90438948B105A665,SHA256=826BEEBAAE45778C7CCA9124F9F8B9C67BC55D548B69F46C2529DF3F2DB2D16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:12.581{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B509E9E8D689E37E3638C2E0A0541CB0,SHA256=EEE0E4986773195B83035E76FA7485B76A593E1E7A8D0D9C702633FFD53EC644,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.871{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63394-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005428957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.871{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63394-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000001535618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:04.880{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60637-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A5092E669F8E9C66BF39B7FFEC8086,SHA256=F91FE72C2FD80A9CC3D0A4ECF014AB0DC585FD512222C1AC659FD3FA092BF88Afalsetrue 23542300x80000000000000001535626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:13.600{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97C688668D2BB6C87967E629AD6AC5B,SHA256=EDFC6276417259F0A817591A2FCB25D1D16DE8B2668689875316A84D7C794F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005428963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.598{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7180MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005428962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.597{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71802021-09-08 18:13:13.597 11241100x80000000000000005428961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.596{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71812021-09-08 18:13:13.596 354300x80000000000000001535625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.591{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60641-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000001535624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.531{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60640-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000001535623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.485{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60639-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000001535622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.484{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60638-false169.254.169.254instance-data.us-west-2.compute.internal80http 23542300x80000000000000001535621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:13.034{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C14774B284064E55AF5EBCA6F692B81,SHA256=97C33D4DE91F8C4E6185333D37FB0E7D4AF2F25022BA656C1A5417327254E8DDfalsetrue 23542300x80000000000000001535629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:14.603{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90F76D2B357D0F6050997D6D7927C43,SHA256=6CB2FDE932F3FDE309C336E81B2213B6E5BEEE4F8980E141592EEE86310CD9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005428968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.611{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7181MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005428967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747FCA1619222C388733906F42475BA0,SHA256=DCC6829E81169642ABA69043FEA882071C23932DE02C77D878046710694F97C5falsetrue 354300x80000000000000001535628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:07.672{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60642-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:14.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3236A8E71027EC7EA3ED11772A5301FB,SHA256=7F3E5788A24DC95A2D42D2155BFFB4CF61AC21D34FED90CAD4C4F7120B37DE96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA75EBBDED398CD9B28E7FCBC4E030AD,SHA256=338AC2C51844AB0B05F23BDD9D764F76ECBCC4EA9328EE0BCB058949F5C7BCB2falsetrue 23542300x80000000000000001535630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:15.638{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2052EBC6A7DBF03DFE32BD564915950,SHA256=A8AA01A5793293D3EBE06753E62AE211ABD9B0A5AAB9E217833C924BC6CB35E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65A54C0C608E7D319408E645A84CD728,SHA256=9A60F845E508E4E3851A5B0C3178198717C761EE2B2AF62AE4219EB1DB49DE3Bfalsetrue 11241100x80000000000000005428973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD4594329F34F3688182D31C05A1B6BD,SHA256=9EAEA34B3E4EA858C5EEF7D3D9C6261ECD09D93BC950B7F84460C929FEE357AAfalsetrue 354300x80000000000000005428971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.730{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63395-false10.0.1.12-8000- 11241100x80000000000000005428981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.971{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.971{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF1F11129D148EA3B3ABF89E616BC2E,SHA256=8436BE170B62F97422283EC49B89B8F9AC92C375A2D697865671C1ECCDBE824Ffalsetrue 10341000x80000000000000001535641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.979{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.642{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F0767252EE3C4231B116922559201E,SHA256=DEE62730C1D592A63B5ED1A033E2823AE5B7E257A60BA57A861312232FE43DD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F9EDA76CF222FA50B549E9AEBE3EE4FB,SHA256=DAB2C1019A70A4BB9BAB9558DBC76994035FAA790365941004FF53A8EBBE6F92falsetrue 354300x80000000000000001535632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:09.894{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60643-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.241{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECFBF8CC3CB2DB961F958BBBD3BB4029,SHA256=7744A0F77A42ADCFBABC0B6B417482815FC04AD87D394F0B25D7F9C114FE7E90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:17.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:17.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257EA8D58BEBF8145BD90A3A2FBF5AB6,SHA256=1C23AB732E74D1184F04B451E8E5A1C11E0397F748A3D748FD8129A3B3DBBD44falsetrue 23542300x80000000000000001535652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.996{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84053A353AF05DC5B4FF48BC9043B9C8,SHA256=E44C43D1E41A771A3381246A30B6643AAD70925AD8166B4FE5BCD64089BBF41B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.811{AEE49BD1-FD3D-6138-3ACE-00000000F101}57323348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.665{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.649{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68AEE2D9BCA6C960CF7EF96FBCBCDFA,SHA256=439C826DBCD9240E7603CD23DBEDF9528895C5BF2ACB26E91F60CCCA95248DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.683{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6669EA1AF97DE98CCC9DF8AF087D830A,SHA256=D337010632FCAD193BE6740ADE0695CF6D03C0DFA317EDF39B55F9925125F5FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.367{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:19.686{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852D33980D365EC8E42D61D54EAE0995,SHA256=68204E6D74C0A121AD28259E9790B9561F1EC777FA6A6DB6A97FDE9A90883487,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259B9569C7C7904AC70759F3C9C4188F,SHA256=19B96093A8D0A7963034FB879FB53ADC361CADB621B926FE1B6C7D0036F3D9C9falsetrue 11241100x80000000000000005428985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56773A7E1CBBDBFA58C1887BB4A5E7FA,SHA256=6F34A3FEC019106F1D4E7F20A487A5FF698AAFD3161C729EDDA648F488B40845falsetrue 23542300x80000000000000001535662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:19.369{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=188FC702E12A4BFB48916D30B71AFDB4,SHA256=B0244FEA54C6C48BD8CDB3D476CA2D3DCC0671086F02D9C44273C5247F2BB1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:20.688{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7D01432576096F7CB778F1BB70DFCE,SHA256=9A963C3F35BF0DFCE991F3C8EA247E9B9DD935ED719DB796A7E4D1CF305D9C8A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EC6BE8D275C389D76DD07B7D68BC01C3,SHA256=BC4836BCE8A805AB0AD4CF125FBF50B61F337633A32103A1E189FDFDCB1664DDfalsetrue 11241100x80000000000000005428992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A572F9E37DE194418D97F728313B717,SHA256=A3163AA053F6DD2E7CC22A96AED26D178E31B5FB5E3CDF24C593C2B0C615994Cfalsetrue 354300x80000000000000005428990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.747{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63396-false10.0.1.12-8000- 11241100x80000000000000005428989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0E108923F0833EED0533E66CAB9DE1,SHA256=AE130C17A4B1B7D7E7C9E2CDB2C1E1A3181617120BC880A55C8335DDA21B3B95falsetrue 23542300x80000000000000001535665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:21.692{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6F2CE015A9B59F0587D0C7D971CE45,SHA256=7A6DB8A90BBDBFC12EBF160EA7B4F27BEF6866C73BB47B9CAFC1CB6E169F0B59,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005429106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.971{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005429064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.940{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2F19840B6FD4C11C010A9B371C2D5F2F,SHA256=80F8DD999277ACDD11982C27FA28DC488907DD2A45A821D5200759371E5F7BC3falsetrue 534500x80000000000000005429053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005429052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005429051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}60045888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005429044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005429042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005429011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005429005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.253{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BC00A21E75A9D5433298119744F378,SHA256=ADD1AFA9606881926D3CF47180589486D509735A5E8C39E0416808A4BB7C7FA8falsetrue 23542300x80000000000000001535668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:22.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D7C915365DFEFFBBEA844F278FFE47,SHA256=E4F9630002FB72ADDEEE752C7F1056B64EBCF53B05DAD5B781631C33CE4B2D60,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005429173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005429172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.658{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.658{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005429165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005429163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005429134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005429126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.628{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DA684781B36A1BFEB55991B5319959A,SHA256=9C702C9000D9B2C94B386A0F355E969B9FA181057E73C29E207EA02C9B4179B1falsetrue 11241100x80000000000000005429115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D4F3C3A944004A63E62E6BE0576FD0,SHA256=9AE04F67D453F826AAF4D9F2E8C1E019E1CF206C25A98702F480343943CF54D3falsetrue 11241100x80000000000000005429113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B58F39B2E04BE0D523753A6B7D9747,SHA256=820EDF37AAF53BDE8FCA3C4D0E63096159A853D7793DED4ED0CEDF9D2AD132F2falsetrue 534500x80000000000000005429111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005429109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}8004364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000001535667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:15.832{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60644-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:22.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F04A86D7DB81E84E21480DBE4AE6F8F,SHA256=415E8FB403FA9149D0ED7E73F6B5755D34711800F7B023A3FA4A607266AD4249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:23.697{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD9FD0F66F40723E3218BD998B208B,SHA256=E10BAD44C96032BBF83EDE78F7381C97A5E9BE8BE32FF9CC1427F8EB8ACE2A65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87CC2D6C491CC9E7A8455BAE36F7FF39,SHA256=B22F0708C87ACC120629C6E7DD8725BCF53C794B31C0567222BDFCEE4F0C118Dfalsetrue 534500x80000000000000005429231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005429229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}80724968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 11241100x80000000000000005429227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F90140BE322DB9658EB69CEF3118DA,SHA256=3F225033AF0F8086B855C77B38067B1A8CDE654E02F7C19BDE3C12FC1E6B47E4falsetrue 734700x80000000000000005429225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005429182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.315{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:24.699{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427888F74ED93F2A87BA18AF186761C,SHA256=8F58E6B3E683E5A5AF2D6866FC1568D6E1029DF27E11F4D108BA2B48FE82DB45,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005429353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005429352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005429345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005429343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005429338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005429315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005429313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005429312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005429311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005429310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005429307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005429302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.536{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B97985C68664E41BE1591EED5E823A,SHA256=E81DA7D842B1CFC8F698F6F4E015419EFBB141419F79DBF0EF3221B7EB2A4AF5falsetrue 11241100x80000000000000005429291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694BDECD9227F1B6C1170FC9E66C94C0,SHA256=481AD0907A09D12A55944A53F8EAAC92E8EAECFEB77198D55992E49F2AF03F02falsetrue 534500x80000000000000005429289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005429288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}62125912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005429281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005429279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005429259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005429247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005429242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.003{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:25.748{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD537B063D6C273A4AF7672EADE78B53,SHA256=09723BE6F4CF5EBFA478A695D2C3489B5DD661E2A8AC522DFA6885BBFEC995EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C67E42B61DF84019C213612BDD5CED07,SHA256=32F039F63255EE19C7F104B3FD2E86CB424C0A46B2976C308B47882FE1D30E1Afalsetrue 11241100x80000000000000005429418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.846{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.846{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8463501A8E0324E16D05BB3DA7C3BCF4,SHA256=19B513716179AFA4E47EC459898D670E37EDA0228187A3254D2E49F06EF5C92Cfalsetrue 11241100x80000000000000005429416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF08229E3F5B59FB4CA13A2548EEEB1D,SHA256=C090CF43DFE3156084E00F308FF1F6F9E1F4B6FF39135A475271DFF8E11E83E1falsetrue 354300x80000000000000005429414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.778{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63397-false10.0.1.12-8000- 534500x80000000000000005429413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005429412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005429409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A492790074B0F2CC81BEE1A8A93774,SHA256=F0734FB63FF272B1CF8C8BC7730C8F3ED8D0A09E3723ABD1941920C81146973Efalsetrue 734700x80000000000000005429407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.189{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.189{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.189{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005429403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005429401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005429391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005429373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005429369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005429364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.159{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15CC250ED038C3AEC5486C0516EDE39B,SHA256=0F80EDFC6EF2FA2E594ECEAA8A4E1282276805DE54732F161B3901133329E132falsetrue 11241100x80000000000000005429426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=450187243987B7AEAFFA8F9AFC266A5A,SHA256=195E73418DDC0F3A7DC6C6C80F62ED90F36160BA11725665BFE9CFC128891882falsetrue 11241100x80000000000000005429424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25FF6B9ED01BB016CC0863207E4E116,SHA256=BD60EBF534BD589F431DA852926233B6A974E19BEFB39F0D822D4D9953E452C1falsetrue 23542300x80000000000000001535672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:26.751{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BEE229B6D1F16AC1726BB4FDAB4D66,SHA256=987A771738853611CBC941DA7C5632B2BA55CF71A198B2B0D33DA6E607325859,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0771C01528DD83C70A00FE89C846170,SHA256=331890949666A21F0FB9309C0E51F8F3D2BCCF6541AD28DEAA172553549926AFfalsetrue 23542300x80000000000000001535673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:27.752{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5099785F99956D2CCA05F1654BF510D,SHA256=4EAA5581574D0E2644F3700E628C1894E675015A439BE6130A29D4BCC5E166C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7055EF459FA74EADE47A98131726CDD,SHA256=5BC9D251804FB22B1DB2CAD1F2CF9317756763C871137BE0822778B6A447575Bfalsetrue 11241100x80000000000000005429442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE9F56BFB8FE7C8E20BC251D1118F76,SHA256=57163228B96253B46FD67667EC8E411352DCD7192E90F83B38547EDB465F0C40falsetrue 13241300x80000000000000005429440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005429439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005429438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005429437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005429436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005429435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005429434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005429433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005429432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005429431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005429430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005429429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005429428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005429427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 23542300x80000000000000001535676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:28.773{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB201ACD1A52D0FC1F6BD5FED91351DC,SHA256=5B2FD15645BE19A124489A1C7249CF7DA23263721797D3E83A955D70EB2D8B28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:28.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:28.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BA339403EC25EEAD9A79249B7C5C30,SHA256=34C68B96798F20ADF43E00BAB97143B9FC2939A6CC999BA9663CA1C7A5ACDED1falsetrue 23542300x80000000000000001535675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:28.022{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60B79E852F22F637689572EE69FDE97E,SHA256=CAE92EEBB38A26116B3EF29839D021EEB1A37D4F04A8FFBEE5358408DDB0F9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:28.022{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209233E161907BC67580B8067D14287C,SHA256=4BAC77192B30006478737A383B9CBC00DE040945040823867AFE690BD31446A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:29.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:29.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F3C135E1EE9D736C3FDC00EFC26B43,SHA256=534CBA08A8D6BF915D86A449ABDE2BCD39FCD191B904228AC45C4A9DA7599455falsetrue 23542300x80000000000000001535678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:29.826{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5919D4FFA6B62891687C32B88679D911,SHA256=AC215043C78896B990997A0B057DEC8D54E4F649BFAA68335FDEBC3470F1598B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:21.678{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60645-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.829{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79262B1D2FEA4019463BE14AFB010B6D,SHA256=610E495587C88892FD5C441403FC86CE603E475EF2AEC3A23C987D35DAB5E8B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=197B5177D35009C277B92C7505142236,SHA256=CB58FD809285113CAE7E336AE51E480B3A28D6A9E647C44F3149CA379AFDA05Bfalsetrue 11241100x80000000000000005429452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5611870E00EADB32505AC3CA167A88CD,SHA256=8F6DAAB7BF758BB2AAAD7E54CEBA067846C8B6B9BCD6E3E560CD89A0A57400BBfalsetrue 11241100x80000000000000005429450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.254{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005429449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.254{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4636AB558019A1481B0BF9DA12B19F5D,SHA256=66A9721ECBD59A1A983B78D8115AE89A49E08E39D2E72C432E2D843AA7886569falsetrue 23542300x80000000000000001535679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.097{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7171MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:31.831{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EE4812B285F48AA0F3609FE45C78D4,SHA256=7FADC1CDB444A9543F9D26A79CC85C64F3F7A9C2902EDE37BA0D016C7DC54EAB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.801{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.801{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AFDDDBD693BA16A1867E38F2DCF7121,SHA256=2AA8F05B17783CF810AD3631B68E603749A694BEF71A350F20A9CF662C7F9AD3falsetrue 354300x80000000000000005429459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:17.733{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63398-false10.0.1.12-8000- 11241100x80000000000000005429458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB125145AD91B26249E394F9774E2D08,SHA256=599A48E5F8CD5AE5CEFFF53FEB0BA48F180C473E651D1C696B9078AD9039EC68falsetrue 11241100x80000000000000005429456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4500449E095EBC91482572E09580F20D,SHA256=9CE95B0F0A85A007DC810B6EC5D652E73DCF697BF8B23C18105A1DF16CEDF491falsetrue 23542300x80000000000000001535681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:31.099{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7172MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133FCD0B41F7C940548A1F6ACA581E4E,SHA256=69FAC99B28E344F7607193521D0F9BA25ED3A6C4204D1A2078658A134F676868,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:32.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:32.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC103A73175F477E6F2C0DD62B0BB652,SHA256=FC550A8ACAFE91D989EFE3F92648E7A5288A17EBF0A5337B500C4BFA7C38B1DCfalsetrue 10341000x80000000000000001535691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.617{AEE49BD1-FD4C-6138-3CCE-00000000F101}32203268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.480{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001535714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.934{AEE49BD1-FD4D-6138-3ECE-00000000F101}46324284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4897E68F01B28ABF99075C5BA07810,SHA256=9A249405B8B01413AF48AEE50F4F9868D77BAA67CD91AAAA42A9ACDE06937B04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:33.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:33.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9072172547B9DCC6AC5D84935EFA58F,SHA256=F1C380D5D4FA34F21E798FF485DDD15F80BD129427A9CF009018C03DC6E4348Cfalsetrue 10341000x80000000000000001535712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.781{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001535704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:26.820{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60646-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001535703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.232{AEE49BD1-FD4D-6138-3DCE-00000000F101}49445268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E11337EE15575401AE0025ACE0A567D,SHA256=76EB550CB263F607A9F7DE90CDE1DFBCE835D0A0018AEF4FC93D8CD9557B2C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60B79E852F22F637689572EE69FDE97E,SHA256=CAE92EEBB38A26116B3EF29839D021EEB1A37D4F04A8FFBEE5358408DDB0F9E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.102{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:34.904{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA94063F4BD8703B223A71DE3355FBC4,SHA256=591E22CC6777F83C18C6349809BAD38B3C69941CC92E0411C2708326361E4B8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:34.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:34.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1227E93798F671F0B2A4C16A0D380FD,SHA256=F75B53A99A1C52EE07339C52305F04994A530896ADDE5EDCD5E0F63FDD437DB5falsetrue 23542300x80000000000000001535715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:34.319{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E11337EE15575401AE0025ACE0A567D,SHA256=76EB550CB263F607A9F7DE90CDE1DFBCE835D0A0018AEF4FC93D8CD9557B2C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:35.923{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591277DFD92F4835AE5CDA1F8C7033EB,SHA256=7363FDBEDA1016D7C98992FA59E39B325FB32752FC5E5EB759B11AD6DEA703A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:35.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:35.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D0B989167FAF4E1AB5B3F04F7D1867,SHA256=B8C3E17A9B7CD574B688B69EBE135F602A4D7EA8E60177243DCF388DB427B4EEfalsetrue 23542300x80000000000000001535718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:36.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55270A07AF3D047FB12FE3CBD1435E9,SHA256=4195DA0A418C9E9FC3CD02F59799691458B7E9102B693AF3E2E2716F51BA7602,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C582655EB1BDE662131BC6546E7B8B8,SHA256=B15069E020BBA59B961337ABA0273EB8EC3FA97DC6FB53D6FDDD7088F4CDAD8Ffalsetrue 11241100x80000000000000005429475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=49245A3137100CDCB05170E97153D43C,SHA256=1A6C71B17D1F9339EDD2F3B6A0BA3AC99C2D96D2B8BFDA14E550D54CBE68548Cfalsetrue 11241100x80000000000000005429473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4699D12635AE9FC5A2C16C2FBF00469,SHA256=0EB9A24E4395BFB3A947D7DBD79F43955BBB3173600F9CB68063ECE0034C4EDDfalsetrue 11241100x80000000000000005429471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EEC0C5764B6DB25CCCBCBA313DD339,SHA256=2BAB81DBAD4B2123E4EAF08363560E8CD080482B80912131100F1836ECEC7F29falsetrue 23542300x80000000000000001535722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:37.927{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853DAE8FA53F6F57C649B276543D5D4C,SHA256=08B6E8FF851B15ABF2288DA75285DFE9350DF5AC799761F33C154AAA25E450CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DB6C363CDD74A7AD8CC12140C1FDB4,SHA256=F03AE4BC4CA7E707E6C60E5382206D9D84C0BC48FB385EAC0F68AB07318EF901falsetrue 354300x80000000000000001535721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.747{AEE49BD1-4151-6132-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-296.attackrange.local138netbios-dgm 354300x80000000000000001535720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.747{AEE49BD1-4151-6132-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-296.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 23542300x80000000000000001535719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:37.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E4C1A3987CD5A9B3ACF2FCD0EC8CCF4,SHA256=2311536AF5E8A793A527B92B5035B735D0806F9FF604EC7D3B6BD552F489CE66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010BCE3937DDBC1ADA11BAD48266A973,SHA256=981BDF54A5AD142B85D50D0E87553F8CD010176FE12D3714284A804BDB564812falsetrue 11241100x80000000000000005429479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF2E52DEE8B73B99660FA6FF73604049,SHA256=46E809FCC930FB9DF3C202270201F2FF73B4CF84939599327CBA32926D2DF9D8falsetrue 23542300x80000000000000001535723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:38.961{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0160AA48B239B55828A6ED50AD3922F2,SHA256=83874663A7F1878E5D9FE65194E89C10F954FAD539BE0ED251ED57A8BD86FA5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.702{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63399-false10.0.1.12-8000- 11241100x80000000000000005429485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:38.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:38.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D49C3A3D77A9ECE9778288003ABE81,SHA256=DC65C18A5925A09AF0B2A72A733839F39BEC7E70E985CCF36F4C32C98E06ADACfalsetrue 11241100x80000000000000005429488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:39.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:39.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B520DA29CA485ABE46975FB88677D6DD,SHA256=931A105D6CD110DFEAA1336A740FFAD76245C62B5B8D4C1EF91E5F24F4E9BDFEfalsetrue 354300x80000000000000001535725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60647-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:39.045{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F270E0C5532C3A226C4E7B6EB1D2488C,SHA256=516897BAE7BD924F3DD70784ADBCB5A656D47D7B440C46387CF2781F3FBE6FE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:40.817{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:40.817{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A54A8914B99763BA670B8B3CD555A3B,SHA256=BAECEF521F0795C18D876938DCC81F57A7F8AA770B30FC89415E26A513B9BFEDfalsetrue 23542300x80000000000000001535726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:40.002{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3744A6FA328D7BA02C88E104D03360EA,SHA256=A36645E1420E49836E81AF30FD00483697AC3B101BAEB1F8BB24803CB57E3AE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=704CC7F27A9D2A39596E11AE8B7E809B,SHA256=F28B80B712BCD63CA8DE7DAB5D7BDF7D1558225FBC1490A42DC811D4C4C86056falsetrue 11241100x80000000000000005429496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5875D3B86DDD95AE59741BB2342D407E,SHA256=0E72F56C6F403CB591E19E621C4CF1FEDEDE335A8DF91E30AE8374B9D9CBF6DCfalsetrue 23542300x80000000000000001535727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:41.003{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BAB0FFC178EFD87EC5BC6F5372A1C2,SHA256=EF4F66536C445033D954C6A7BC4143F17C467738C3C3FB3E0FDBF049F0DADBFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1D643CE4137087D5487B6DE3C2DFEDEC,SHA256=AD51DCE31FDAF318F2CAB4D387FDC0C388BDF08B7B4A4F51252CD429A8B4A47Cfalsetrue 11241100x80000000000000005429492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74AB84FB0EE1E5EB54041F3883CCDF45,SHA256=BB5473866D742CA382BECC1E2E16B0B1EB98550D7A99F68F400660345EB0BDC7falsetrue 11241100x80000000000000005429504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.864{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.864{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970B0638B3923EB9B41E35E58069A1BE,SHA256=9F5AD0B63DB5D5084C64A1EDD2E4DFE802180D53F41CC2077376FAB494DD0361falsetrue 10341000x80000000000000001535736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.872{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.023{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36E6084FFC82F630ED78EF4ED8099A9,SHA256=5C00AC113251665EB8677B60A6535DE38AC4F5E4D8617249EEAE621C36FD94A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5BD22CCB441EE26EE683FF0EBF149E,SHA256=C9FD608AD3A9F0878CEC4952B2A3164F8E55880FCF23F7B0ED2373B8AFC2C6F3falsetrue 11241100x80000000000000005429500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010BCE3937DDBC1ADA11BAD48266A973,SHA256=981BDF54A5AD142B85D50D0E87553F8CD010176FE12D3714284A804BDB564812falsetrue 11241100x80000000000000005429507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:43.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:43.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA03955C714AF297F02AF6F4713E2C1,SHA256=B3056F974602E18D3BD8D3024633CE5FDC3D8175D7F844176F5E1A545A5311D1falsetrue 354300x80000000000000005429505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:28.889{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63400-false10.0.1.12-8000- 23542300x80000000000000001535738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:43.874{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=535A562309481EC2C03E0F403DBACBBD,SHA256=448258EA03FDDBAD1F91FE9F0CD4F121417F81F0AD56F41EF9CE8969C6D94F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:43.025{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B964D5091E95DE457B56FD6FCC995EC,SHA256=B06AB6F5F6A21CAC73250AD8B2AA7CE67EA52E71D47E7A68BCCFD49D997DC8B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005429534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001535740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:37.864{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60648-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:44.028{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65D680F73DF9CEB7498DA6B2A399885,SHA256=D8132F58FAE03E55E44AB74A406873BA606B226ABEC76EA944DF1E42E417E149,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:45.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:45.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4DF23534ECD5F4349F431D437BF8DF,SHA256=9904A5B91451D0568DCBEA3A8BD6896C7D451A48104DD9EABC60CA215D3B4289falsetrue 23542300x80000000000000001535741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:45.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B4C99867A2D4BC81DB4F22C04BBFEE,SHA256=CB7D403794ECACA07B63AAE9CC1E79DE1EB3A684CD80ACF7460841490C1BADD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.956{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.956{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8CE374381B381333603409988281D475,SHA256=5ED16744A4FC13B08B109BF3BE14C61FE9DB59E923A9A4E181C068800996DAEEfalsetrue 11241100x80000000000000005429542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F891FCA9ACED9D1E526DC04B27C73C2E,SHA256=E3E3841F8F0C1A2710631B53E243C44BFA0EE8DAC8302320FA9FF50988F248E7falsetrue 11241100x80000000000000005429540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0BF41566A97E1B3146A3BBFE3F499A43,SHA256=37517BA75E9C42C2E13DCDA9E608963565DB1D4103B3AAA806196287FD30B27Efalsetrue 11241100x80000000000000005429538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2F37F1D8DE154BF7489C69C89EC7E8,SHA256=00B7962D5BE569A5431601A36BA48C9ABCDA3EE6A0E494A9230DE1D0EF38C559falsetrue 23542300x80000000000000001535742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:46.049{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CEEAF3C84F671DA2369D4DF4784EB9,SHA256=87EE7DF704238F69E71AE094A7BE0D530D98B17927C3E0A83D72C5B05C596264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:47.099{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A1B0CF0EC8872F616485B21F28C722,SHA256=C7625077FAFD5F46CD0556C64CE5353907A30E040ABC9D92C21EEA703B1D261A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=091E0BF2A2475972B89F62DDC6DA4A6C,SHA256=26A38F55DEF4CC275DE02839B3E47EB0D42B237A2EC1EAE9365F3450FC64ECA0falsetrue 11241100x80000000000000005429550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5BD22CCB441EE26EE683FF0EBF149E,SHA256=C9FD608AD3A9F0878CEC4952B2A3164F8E55880FCF23F7B0ED2373B8AFC2C6F3falsetrue 11241100x80000000000000005429548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.659{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005429547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.659{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005429546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4789CF7B6706D8510D2DD217342CFF6C,SHA256=89E142261A2FFC0C57F06A45E0C3681321451AC646BAA4074ABF4A5EEA5BE399falsetrue 11241100x80000000000000005429554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:48.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:48.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED62B8CB41A63F083E4AA53952FCF7E8,SHA256=572E1503A4AFD08D5C9DCB85A038E54C6B4FFBE5BD0CDC29524B7982143A246Dfalsetrue 23542300x80000000000000001535744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:48.119{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF8C653F0AB08187D244F06B8B01DD6,SHA256=7AC1BC79FFF008B5BE9643798589632EE29C535530BA34B7CA7DF26D85534BE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:49.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:49.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA374275D6C61F40A799B5A5DD43FB0,SHA256=4E98F67DEAAE3421BD44663AC199E66FD7649CEE05E83B395220B0E5187C0E33falsetrue 23542300x80000000000000001535745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:49.121{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBA63BA132C2F81F5C8416B1E164335,SHA256=AA71A022E64BB8D450F219D54A4D706FA3C7D6FB18E12FD6C1DFDF5A739183D7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005429593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000005429592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000005429591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000005429590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000005429589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a4dd) 13241300x80000000000000005429588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x45a5c0d6) 13241300x80000000000000005429587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a4dd) 13241300x80000000000000005429586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x45951026) 12241200x80000000000000005429585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000005429584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000005429583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000005429582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005429581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000005429580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000005429579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000005429578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000005429577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005429576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005429575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000005429574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000005429573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005429572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005429571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000005429570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:49.393{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000005429569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000005429568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005429567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005429566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000005429565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000005429563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000005429562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000005429561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005429560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000005429559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000005429557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 354300x80000000000000005429556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:35.294{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63402-false10.0.1.12-8089- 354300x80000000000000005429555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:34.653{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63401-false10.0.1.12-8000- 11241100x80000000000000005429599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E12E852A6807A653273F73B54ED584,SHA256=2B7B4F73290E2F5E2B8153B5ED6670EC1FDC8C81EC2BDD0D25312DB17BBE2C44falsetrue 354300x80000000000000001535749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:43.780{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60649-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:50.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2E382836B131C4B959CAD44AE896771,SHA256=4322DC2DD1D129E89235480D02385889C85B7360D4484A9EBA70165A81F26AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:50.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F25BD1CB01E3537405AD320FE132B2D,SHA256=2DD222C1A50018623F9192A8540A0E46D2A0A69A435BC623170CEACA38F77CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:50.124{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BB9A643F12FD7CE3F9F1BDA6B167432,SHA256=3F0BA0D7AA01C8F3CD8DED899B5F13C2B3D85CAF60C7D76B529623DA16E417E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=091E0BF2A2475972B89F62DDC6DA4A6C,SHA256=26A38F55DEF4CC275DE02839B3E47EB0D42B237A2EC1EAE9365F3450FC64ECA0falsetrue 11241100x80000000000000005429613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CABD8DE71283C7DDB09A0C1C2C0DDE,SHA256=242FF53672B26DE84218727F746E4625F09F9E033C94A75252FB11D902F2FAC4falsetrue 23542300x80000000000000001535750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:51.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4601B5138A6D1B3A623168204B611C22,SHA256=58D2A6E4C495F1C2E4AB0F40A7FC8E7CE6FD016D04C9CED7AF0DD9C84FA31831,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E41E1BCB6748EFEA13E8232A560791B6,SHA256=DC732524235F3E1244FB3C3872632825BB8472D794C2D6915C1534181939BD13falsetrue 354300x80000000000000005429609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-291.attackrange.local138netbios-dgm 354300x80000000000000005429608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-291.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x80000000000000005429607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.046{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63405-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005429606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.046{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63405-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005429605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.943{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local63404-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005429604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.943{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63404-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005429603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.937{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63403-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005429602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.937{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63403-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 11241100x80000000000000005429601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38E794711C77AC7A7BE31A7944EABEDF,SHA256=D5D421C2F9DB14D11C235B8FA4CA77CC98177BA5C0A8CCAABC48CD901E939AAEfalsetrue 11241100x80000000000000005429617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D1DB1E4EF3DBB7AA6BFBFDB484B044,SHA256=95FB139B1ABA374381AFDE1D353047A5850DBEFA09E1EDF54ACE239197392355falsetrue 23542300x80000000000000001535751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:52.166{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45655834FEBB96DC546C805AB1E2000D,SHA256=248B0EDE960800E1CA71FCB969661E5B8E6DD680B1F20C65D48D65C0E9891630,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2EF91319CDBDB11CF8E1F622494EC3E6,SHA256=212404F24CBD9F47D075E583F5819E152F841EDE6C003F7A3F576303D5748F93falsetrue 11241100x80000000000000005429621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8955CD716D792CDEC182833C4FEF70,SHA256=57AF8172FFB88FCF2C92EB598A9724501F3F5B2EBE3FE7CA5D96499C4E98B42Bfalsetrue 23542300x80000000000000001535752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:53.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119B7F78F3BE3427C9367DC2A5EE783C,SHA256=A44FCDDDD15C0C21638E8B32853CD64E737B35C81863092C020CCCFC94547B51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1241733AD0F9EA8C1CE4A73BCA0291F8,SHA256=E74F10A0133206DC9388869DE74D570A2A99E5DB59B28A99FC7506501DC6B4FDfalsetrue 11241100x80000000000000005429624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:54.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:54.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359AE59D45D2F32A6EDE903BE896B607,SHA256=A65C2808E013470EA5D28C2A703E83590F7E75DC255D3C56DAF7C4CFB0678D1Afalsetrue 23542300x80000000000000001535753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:54.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D015FD6EE2EF5A0199D7B567A5B1723,SHA256=9ABCE89298EA71DB3E9650EF7FBDB9599689FE6E119A1743143B655DA7623D3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:39.887{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63406-false10.0.1.12-8000- 11241100x80000000000000005429626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:55.721{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:55.721{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FAAADABC7EC2EDEF4C32F5C5BEA2D5,SHA256=3FA877B02DDF7842AD359CF57E2EFEC6BD6B29E308D9B71C97C2E4957E5D8FE8falsetrue 23542300x80000000000000001535756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:55.290{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A047EBB2420E6B63D9D4BE581F9A3B6,SHA256=745A0BD29293644764923F276220B61764928C4EC35FAB2A8F52CD596C68C193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:55.290{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2E382836B131C4B959CAD44AE896771,SHA256=4322DC2DD1D129E89235480D02385889C85B7360D4484A9EBA70165A81F26AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:55.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46C749CD67B075C1D41BCA26358D01D,SHA256=21532AF28F8274BF75DCD8AC82F4A68636FCF6E10479666EC4DBE702F996A6B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F7DDF0441411F4FFDACCCFFB50514A,SHA256=ED7C1226DF68BF993C4A1BD2867DEC99951DB0A51ED8864AEA73A59031B5A300falsetrue 23542300x80000000000000001535758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:56.241{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D196F7370963EF3DD837763F8B4D5C5,SHA256=B7D7AEAE2E0BECB8A8DE6B9D55E003E5993D7EAB739C48FA63E95A736200A750,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BCE88E76B47A4F1ED7E223A3EF30EAE,SHA256=644F13750E471EDF86042E1677A6449F9E173BC0FB79FC0E668420E16B29C2F4falsetrue 11241100x80000000000000005429628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=590ACB8BBE9975FF484A8BCEDB228EB3,SHA256=1A83130F888E920EE7F4AB5CA8AFB28D5CA9C3C8A88387C3D49FB48CB94E385Cfalsetrue 354300x80000000000000001535757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:48.844{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60650-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005429636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.799{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.799{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88ACD98131A58EEE46AF219C7B1DE369,SHA256=764D2BFD25521184AC64CE96D297374F14D3110DEDCCC836F714AA5F67071E4Ffalsetrue 23542300x80000000000000001535759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:57.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A5C7092CE4DA556E75FA9A630ABAC3,SHA256=B10E0F74EEE54C2A94FA04AC70E1C6A99CB4105749C1AE2A041368EB4C90EBE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4DC372A6CD528D203A7DFC24C4E4DF9F,SHA256=715488DF5A3439C5CCB8A748CC49AA53FD44C86C09C7DF5D2E5A81C12BFA42A1falsetrue 11241100x80000000000000005429643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21919DF66BADE4633B84887283E2E51D,SHA256=D913F18D1D68AE6D0106250554256ACE9D54337E3088D039134887467D314F11falsetrue 23542300x80000000000000001535760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:58.282{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8000F8F56CA2C7EA608F909687D3654,SHA256=F2D02AFF8FDB9764CB05E97917F594E41F6161122552299C6E4258E0DAE96F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.902{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63407-false10.0.1.12-8000- 11241100x80000000000000005429640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C202EDD13CFFD6598076DDAD37500563,SHA256=00F31C9887295D9EBB2CCCD62EADB0241B7D51F945513185E0F43D1F174B2624falsetrue 11241100x80000000000000005429638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0FB1CC481D1385D3D2FFDCE076A9372,SHA256=D5E44EACD0CB838234EECF2B141E8056C04EE4B75EEDA1B83D988E432F40C800falsetrue 11241100x80000000000000005429645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:59.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:59.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B5C9417F9FED28CA5B37F2CA1B4B66,SHA256=D07F77911AF13CB1AC307A384FECDA0D45AA6CACF1D474988108120ED59C6A83falsetrue 23542300x80000000000000001535761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:59.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26681E8E5193AD82F3BAA76F5AD17E3F,SHA256=8BC8CBA6AF38262B933BC28D81FBE16792AD235E4CC814925B384FA0050684D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:00.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:00.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAFC755BE968BCA4EA43F9B650F6496,SHA256=9732BD6C393F64B494A562AB9E8F7980F3FC5934144AE5BA43D02863BCF0EA06falsetrue 23542300x80000000000000001535762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:00.287{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EBECA5A2C062079555DAC178090FCB,SHA256=D25528D3F45470AF9DD4C3234CF383043692490962C0F4D23C33C857898EDFE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F3572646922EC8EE805D23D39B383,SHA256=82728DB84CE89303CACEBFB429A7151E24A9E7F1193C59295DBFBEBA1699A26Bfalsetrue 354300x80000000000000001535766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:54.728{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60651-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:01.336{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC30F118DF3A0A05A60308B19816CBF,SHA256=BBFD14F243A9A3314B1893F1EC22EA8E4E207EE95D8687AE123738EACA37C120,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A5AF1F4480F5D282AE44517A0F08D6AC,SHA256=8C2ADA457F48E95CA6A2730C37DFAC4CFCEC5CFDC1861CD840CF44B45B09935Ffalsetrue 11241100x80000000000000005429651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFB12B4FD8F1B7AF37C80E4DC7F72B18,SHA256=C6AF93F4732C7B3EA7A12982B41783D394D34585FEBE2284B03F73E7AAE2534Cfalsetrue 11241100x80000000000000005429649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C202EDD13CFFD6598076DDAD37500563,SHA256=00F31C9887295D9EBB2CCCD62EADB0241B7D51F945513185E0F43D1F174B2624falsetrue 23542300x80000000000000001535764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:01.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7142ECA2CB84844D5BF27C4DC9F864C1,SHA256=8E65C030ECA35E1DFE2AC0A9831386E0D0818A174FCD0F3AD85FF392FB5D4F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:01.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A047EBB2420E6B63D9D4BE581F9A3B6,SHA256=745A0BD29293644764923F276220B61764928C4EC35FAB2A8F52CD596C68C193,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x80000000000000005429660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E70768354ADE9F53BF69D03C43CDE5A6,SHA256=051CB519C351AB574D00F91F11DEB4E5A3A90A89BB588C76E9EFCF5F3D97FA23falsetrue 23542300x80000000000000005429658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56410A3BE121BE53BA3971551F72BDA0,SHA256=414F3D425B0E1081EA2F487C8787352EFB310A4718DFFD2902AD12BA854959A3falsetrue 23542300x80000000000000001535767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:02.357{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05869A9FC6E429E6ABDD55494634BF0B,SHA256=502A93F8BC8061B1718DD600AA755737D0D9C9F1F5D5498669D391D47083EB84,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9BDEBD157687739805D77E9CC1EF6C54,SHA256=598FA5765B80928FE81288DD8048A42B12CCC17FDCB7F0D21B858B41D40322CCfalsetrue 11241100x80000000000000005429663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:03.940{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:03.940{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FE4879A4ADE80AD6AF814502EB9F02,SHA256=7757043F6F6ABE9E81DD7C4FF5F6F9D885AB0AEF9E33618E4D773A31BE7D4822falsetrue 23542300x80000000000000001535768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:03.359{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B49AE8EF0E765126D36C9A088DE7F1,SHA256=BB68538B3A4E33B2576F40540755B46D5557C33A9E15BEAD207EA12EB30D0CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:04.362{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388B3D7EBFE6FDA7C7000E997FB3E6F4,SHA256=F0E29E34BBD1CC56D7687C09529EDA476B7CBB6F54F6FD3B1EEE7033EE54B93B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.840{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63408-false10.0.1.12-8000- 11241100x80000000000000005429665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:04.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:04.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD5A0DEDB354FFD871BE0EBD1C78DDE,SHA256=38600062014C582EDC811F8DDBD6C1477951AACEEB0B0DF305D49E207E68F9ADfalsetrue 23542300x80000000000000001535771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:05.786{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E8519FD821D6B1F7BC1EDC70EF4BACA,SHA256=C4543569BD12B68091BC7ABF31CBC576079E49D1E0D54FBC9945EED90B760922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:05.364{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B184E95C6493ACC6A80238B0E462D8,SHA256=ECC234D3EF2ABAF42AC86CCA39464D610A10BD054A98C2067DC9646F9B14EBAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:05.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:05.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2E36A64F70F9AA5B9E0932E0B42EF6,SHA256=8BBACEEB68A21106CD67B2E652587C2E54A508E8D3D835E4B498859AF2EDFB6Cfalsetrue 11241100x80000000000000005429674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E85609C89F03FC86243A95CC7633BC51,SHA256=78644F701CE9E4A50DB945A5010BF45E8810CA554963F5DDE44525A85C430BE7falsetrue 11241100x80000000000000005429672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C91CF6E775FEB8005AC842F946FC63B4,SHA256=4838C47E8BA152AB1E0A151FC25B15327FC5547493B746CAD17491917E518178falsetrue 11241100x80000000000000005429670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4804E24AFA4D7DCB0175CDD6FF1F03EF,SHA256=F701D58E7834212C4CB891C78D2A0BCD31366D8CD6B496483ACA59A5E4F294F1falsetrue 23542300x80000000000000001535774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:06.371{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5056D357BE38733EDF55BE9E0CF1BE69,SHA256=6BEF22D90B26EB7417EA0657FE8A2F375C66AA26518AAF7D7C219CA6878AE47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:06.249{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DE6A82D5B34C54B67F0290A5491A1A7,SHA256=BFF3D0D805DF4CB1B0E5E0BF794EBF0C93561833BA04270EA7E6425D62FA1D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:06.249{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7142ECA2CB84844D5BF27C4DC9F864C1,SHA256=8E65C030ECA35E1DFE2AC0A9831386E0D0818A174FCD0F3AD85FF392FB5D4F02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C6F5B1533BCC44B4BC5F7A8C27428A,SHA256=B1367434DD3E9D80DEB4DA0D230BFA8EF11044B69D4A8945EA56DFFF1980E83Afalsetrue 11241100x80000000000000005429678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C269C608876F719DC8024E6A357E734C,SHA256=8BB2F00917FB718A7F0C4A2F221F4F3035E340BBCA1A84A55A90E42614FDCDCCfalsetrue 11241100x80000000000000005429676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FDDEB7024D82F920456181997BA6B4,SHA256=7C2786A46D1D929A0EFD9595C53F45C69FCA6920100527AA7DFB5F2FC3F23CC7falsetrue 23542300x80000000000000001535778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.389{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966B078596CF0D919E63260D88E0AC03,SHA256=F78A5483CA50762417FF7F7342E0752977C387326F52AD7E5F5E241E55435222,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.320{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-0F00-00000000F101}932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.320{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-0C00-00000000F101}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001535775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:59.873{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60652-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52424B9A792AFD9D2D05FFF3DD7C9E1F,SHA256=DAEA63FBFD7ACB36E1F2A4B5916375BFA54B71D06ACD2E7A36DBEBC601EE5854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-4463-6132-B702-00000000F101}3756C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-0C00-00000000F101}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:08.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:08.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF5EDA61DEA1E22CA21BB17D53E9AF,SHA256=E9DF29804A1CFD0580DA494BE2832E297E86D7B38CF16461A222FC06D6EE376Efalsetrue 10341000x80000000000000005429681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:08.064{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:09.394{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E628010DF9D1F832D0691BEAD40C98,SHA256=574C7557141E1B7D1DF1E8833995810DE68E68C7E9CAA9CD44500BE6335CF0C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005429692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC4204316329C9EBDAE05FC25AE69B6,SHA256=286D044990959791E9D6521E738D6AC12ED1500583A7A5AF922EC9D3252931D1falsetrue 12241200x80000000000000005429698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:10.236{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:10.236{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005429696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B150119C8CB3A9B93755F7A0BA839C,SHA256=757F879892F59399BD7DA2CD81FD30CCF4966734AD2AB9D448EF4157F0D51A0Bfalsetrue 23542300x80000000000000001535787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:10.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CBE28C57BB8B3FECE2534DFA754497,SHA256=65478D96E1632DF0E53FBFF5D872EDF2F46D7DAC367797A6EA2B7BC3769B759A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7A0D683A9B66347758A11BA9495190,SHA256=A1BCA516EEEB39AC3B08A96E8257A4123477A9074E3FE59C3C76178C9C8F528Efalsetrue 23542300x80000000000000001535788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:11.414{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0618BF7DAC70C281E499C06009542499,SHA256=F2347DE6D71531310685B0C9207640A4CDBBCAE33E2C3B5466FF7BF54983EB90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94B775EA2B8135710535F815B8FE37BF,SHA256=0C1AF5A77452C3B5A897D0B50EC22EAC8A0D43AC4C14D3AA065CB7AF9526BCD8falsetrue 11241100x80000000000000005429705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C746A509FDE6F3CAC24973C48EC4BD1,SHA256=02AEBF10B5D126233655900D6BBC48A2B25CBD16A87CAEEB24653DDE53561A2Efalsetrue 11241100x80000000000000005429703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D2F7A251CFF07560CA8773AE3A7EDFB,SHA256=8069C8181107890E065DD8C84396E6606B9D7EFC66B1493F83E2379732065AFAfalsetrue 11241100x80000000000000005429701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA816C98D3593D298DAEA63013E962D4,SHA256=863DE02F9ABA57039098F87B5B80C95194AC89013ED9EF5E0CAEFCAC5A18BFF2falsetrue 354300x80000000000000005429699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.714{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63409-false10.0.1.12-8000- 23542300x80000000000000001535791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:12.463{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A73E6299AE58639FC1484B8FEBFD7DE,SHA256=76EDDD9DDE769980EBAC1446D917CD3B0FE535A0F52FE5E464C07393CB74D920,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14B67E4082AF31D4BEF6D9D3D00751DA,SHA256=091A945A466CF709DEEE460E7C17A7C43E9B3BC68C8FA6897C27352CAEE98A2Efalsetrue 11241100x80000000000000005429711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964F44CEA9B39181C1DD37ED12785151,SHA256=4C039F1F76A3FB9DA7C87FB829E948ABC313F0FFA803B85F62775AB69A167947falsetrue 23542300x80000000000000001535790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:12.216{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7327EABC26A9FD1024316F27045A4E,SHA256=D07062A92BDC0E394B0276F1182BD7EA8D7EEABCE9ED5A93206DDB69A529370E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:12.216{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DE6A82D5B34C54B67F0290A5491A1A7,SHA256=BFF3D0D805DF4CB1B0E5E0BF794EBF0C93561833BA04270EA7E6425D62FA1D87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.886{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63410-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005429708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.886{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63410-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005429715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:13.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:13.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B32705EC262F0610717886D7BE3D12F,SHA256=A2E16161F36202E6D93C6690D1C9E26EDBFF76C422329303BC8FC87524F74228falsetrue 23542300x80000000000000001535794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:13.483{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA24EF784171C4CE19682F446F01FD8,SHA256=C26086531E720AE42630B9A88852296DE20D697AE04D051A311A5B4C16768AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:05.856{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60653-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:13.065{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:14.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:14.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DBD3C235912B992964470FEDCCF862,SHA256=6587261689014F9335090806B90AD910FF2B8058D1D3CFF1F8A5EDBE08EF5E04falsetrue 23542300x80000000000000001535796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:14.487{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ED1DA6E620A741E9CFD154CF330FCE,SHA256=7A92FA97243BE62360D6EF36C30AFC1C9A8D781077A3A9A64EF8CA5F57F2ACE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:14.052{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7327EABC26A9FD1024316F27045A4E,SHA256=D07062A92BDC0E394B0276F1182BD7EA8D7EEABCE9ED5A93206DDB69A529370E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:15.489{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398A74436FD15B2DD22D72AB765CB0ED,SHA256=4F3810E95317D22A77C511F1D8B5157836F305185A8EE2BD4C97C59F97D2A61F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976C293B542B00BD5EAE6E81A167EAEC,SHA256=011CCADC818928CD6F167729C49BE0104C3D462E21E5097353F0CEAF83CD4B03falsetrue 23542300x80000000000000005429720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.130{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7181MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005429719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.129{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71812021-09-08 18:14:15.129 11241100x80000000000000005429718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.128{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71822021-09-08 18:14:15.128 354300x80000000000000001535797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.707{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60654-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.497{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFDF3FADA09805AB9CC16C1C52A05EE,SHA256=5114139DAD93F3B44A177959A12C902DB235B437750A576F8CA62D210578F0F2,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000005429736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=19CB0A0AB26D7B1E4CEA4D768C3E66EC,SHA256=195F7DAB2FDCE53F066BF2990FB026E2F10B5C67B8A17D88398A4A5489F1AC9Etrue 10341000x80000000000000005429735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F47-6132-0C00-00000000F001}8366288C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F47-6132-0C00-00000000F001}8366288C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-19CB0A0AB26D7B1E4CEA4D768C3E66EC195F7DAB2FDCE53F066BF2990FB026E2F10B5C67B8A17D88398A4A5489F1AC9E2021-09-08 18:14:16.624 10341000x80000000000000005429732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F58-6132-2B00-00000000F001}29486384C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.484{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.484{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E49B8F37DF816B2DDF53F268BCCA2D4A,SHA256=1BA30BB99BDBA21E79484F591AB577E9B4C1F27A9409CD7B22298573C4C1E9CDfalsetrue 11241100x80000000000000005429729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36694A886988315B2A205F58057BD44B,SHA256=AFDD7F0BDA45B8FE95D0410A50AC3001657E1E6ABDF5E30A9383B569A85BB863falsetrue 11241100x80000000000000005429727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FB37F39275F650EE02AB130BA862DB,SHA256=068D5E3D6E9E824E75FFDA55562833BCD37A6C4378F0100DDABCAF2B956A9995falsetrue 23542300x80000000000000005429725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.143{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7182MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005429724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBAACEA87D197B59590182EB39FB4791,SHA256=F5D4F3015ED04667A03771CFDCFC1F75C4D74C9347CCF3BAA4ADE7647A556CC8falsetrue 11241100x80000000000000005429741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55138FD873AD2B94389A83F861B6CFBF,SHA256=72E7A5A2B1ACFCC24FB289409DC3D5620505EA8AC2487CF9D61B86342E20246Dfalsetrue 10341000x80000000000000001535817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.662{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.515{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA76154273951683774845C08EBCB4,SHA256=C5769147793780A6FC5EDCCFF00005BDBB24A08C7A217ACAB90D3BA63C96DC5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.130{AEE49BD1-FD78-6138-40CE-00000000F101}54922028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.993{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005429739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60CAC0D3A2C9304DB743074515FB3543,SHA256=E2986E687AD6AD72783D2C3839EAC4E930147B8C49349E4FF476D4BC486024B0falsetrue 354300x80000000000000005429737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.746{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63411-false10.0.1.12-8000- 11241100x80000000000000005429743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:18.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:18.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451BDD34859A40D11861FE23E5E813E0,SHA256=9B2ED1DBE73ED7B761EFF920FC2A38EAA7133EB8B779A89362E312FE0853E14Cfalsetrue 23542300x80000000000000001535827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.546{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC06BAFE0A4D889FC9C74D37C38A4342,SHA256=0C0192C0C35628190D08FDFEC3E5468B0C8D02AC16886CBC3929BEA52BDA6A3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD7A-6138-42CE-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535823Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535822Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535821Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD7A-6138-42CE-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535820Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD7A-6138-42CE-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535819Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.347{AEE49BD1-FD7A-6138-42CE-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535818Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.999{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20A0B6FC49CDD408E64D47FD4DCADF60,SHA256=DF646BFC497AD93A4C4404C1EBA026391EC81C6194D12876AA84801B0F624C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535830Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:19.548{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EA5C914780171E5CBD44794D9CF43C,SHA256=972C91D355FC8DD54CCC43D5F279D3B862F62CF3D3E1C4DBE6112ADB15E969DE,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005429791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005429786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x80000000000000005429785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005429781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-9719-6137-95A6-00000000F001}49965928C:\Windows\system32\conhost.exe{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.971{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.955{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000005429777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005429775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005429774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005429771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.940{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exeMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1trueMicrosoft WindowsValid 12241200x80000000000000005429770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005429750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.940{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.940{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88b70024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88013a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fe665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64) 154100x80000000000000005429748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.928{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x80000000000000005429747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:19.924{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000005429746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:19.924{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000005429745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.674{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.674{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5940426864869876A4B6F387728B50,SHA256=A92E3DA6CE38F7D34DB69D463E048B3D519DC82007450D625D63C98F48AA9C1Efalsetrue 23542300x80000000000000001535829Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:19.401{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6748332BBDBF74037F147102DF3C038D,SHA256=0FCB5924E7EB2452E39040C70BE7B7D1256112BFF4B2869C066861EE81242B1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535828Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:11.852{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60655-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535831Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:20.551{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB52DD511CE8961FE8B645CCBDA7FFF,SHA256=AD09685E26E2E052D7894804138DD8E7378DB6659E0C4659F3ACBD8DC1E71788,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005430088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005430087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=056C1030423F46E43D8B65370FF7240C,SHA256=F2A0E813DBC776E56837937D9102D69236D963D07F5497E16BDF6FB6212E3EC5falsetrue 11241100x80000000000000005430086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314B2EE05D008CAE2DC0370380C4BC19,SHA256=CC9FA2C2EF092BA5878B29AA9E8260F97B82DA76517BA7A4E1088751E5CBBEAEfalsetrue 11241100x80000000000000005430084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005430083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F542EA429B8A14D7C425F06F4749942,SHA256=7ACAF03FB330398351CADE41ABC5F90301D341460037E2097BF50199461FC19Cfalsetrue 11241100x80000000000000005430082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005430081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=064BA7A174526331948D41A665EE3780,SHA256=40AA414734B2D8FC7299D5DC1E76CD71D21D2F934D801DA4FCE59F057C1C18BBfalsetrue 12241200x80000000000000005430080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005430078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.049{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0trueMicrosoft WindowsValid 12241200x80000000000000005430077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005430047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000005430046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 534500x80000000000000005430029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.049{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exe 11241100x80000000000000005430028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.049{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.049{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFD7787B89CE3B26AD659065B1E08F2,SHA256=3FD1C053DD23BCBF6AE6A31D1D93ABDB27989EB2DBA9B1132B56EB8C41E822B7falsetrue 12241200x80000000000000005430026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005430017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000005430016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005430001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.049{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005430000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x80000000000000005429996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000005429993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005429992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.034{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000005429985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005429983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005429982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005429980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88AtrueMicrosoft WindowsValid 12241200x80000000000000005429979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005429975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 12241200x80000000000000005429974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005429955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005429954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005429951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005429950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 12241200x80000000000000005429949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005429927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005429926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005429925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x80000000000000005429924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005429905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-9719-6137-95A6-00000000F001}49965928C:\Windows\system32\conhost.exe{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005429901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.018{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88b70024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88013a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fe665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64) 154100x80000000000000005429899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.002{4DF467A6-FD7C-6138-34D4-00000000F001}4460C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 12241200x80000000000000005429898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005429893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 12241200x80000000000000005429892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005429891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005429868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005429867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005429865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 12241200x80000000000000005429864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005429845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005429843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005429842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005429841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 12241200x80000000000000005429840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:20.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 18141800x80000000000000005429820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:19.987{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000005429819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:19.987{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x80000000000000005429818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005429817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005429816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005429815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 12241200x80000000000000005429814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005429812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005429798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005429797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005429796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005429795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 534500x80000000000000005429794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\System32\HOSTNAME.EXE 12241200x80000000000000005429793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-FD7B-6138-33D4-00000000F001}4596C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:19.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000001535832Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:21.553{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F33D82487481379441C7104999C344,SHA256=168963ECA5992F4CA32E03AF35624BC33979FB0448C0C66301B06D063F32C9E9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005430414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.987{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005430413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.987{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005430412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.987{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005430411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005430410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005430409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005430408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005430407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005430406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005430404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005430403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005430400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005430398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005430396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005430394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005430393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005430391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005430390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005430389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005430388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005430387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005430386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005430385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005430384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005430383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005430381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005430380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005430379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005430378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005430377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005430375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005430374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005430372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.956{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005430369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.955{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:21.955{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.955{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:21.955{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.955{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:21.955{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005430363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005430362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7B204B7C63F7E8E80448979B4F8029AE,SHA256=C472E72CE01C308A07ACF6442FB6A161689ADC0AE7C432AA7B5FB029049EDA70falsetrue 11241100x80000000000000005430361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5105D12F56077BD76FD40377DACE327,SHA256=7800C5A99D4D714F842A1960D9B1EBEF5755C4BA45E118E421E7B4A0F7AB67BFfalsetrue 734700x80000000000000005430359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.424{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 12241200x80000000000000005430358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005430331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.424{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000005430330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005430307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.440{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005430306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.440{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A71F9E7190AD5E8740FE95399AD77384,SHA256=5B1FCB1DA9874CC4C64F8228F93F9C54060FD8E17C7A39ED1EBFC05507B5BCD2falsetrue 534500x80000000000000005430305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.424{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005430304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.424{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x80000000000000005430303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.424{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.424{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005430301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.424{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.424{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E203D0F6FF9684770C317660D2C73D,SHA256=B1D5395E1565D460CF2EFA325B9D56210292F3C551425ADA42CBF31DEB6295B6falsetrue 12241200x80000000000000005430299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005430294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.315{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 12241200x80000000000000005430293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005430268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.315{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 12241200x80000000000000005430267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005430243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.315{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 12241200x80000000000000005430242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005430222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 12241200x80000000000000005430221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005430194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 12241200x80000000000000005430193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005430171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 12241200x80000000000000005430170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 354300x80000000000000005430148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.792{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63412-false10.0.1.12-8000- 18141800x80000000000000005430147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 18141800x80000000000000005430146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005430145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005430144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005430143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005430141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005430140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005430139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005430136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.299{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005430134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005430133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005430132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005430131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005430130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005430129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005430127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005430126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005430123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005430121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005430120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005430119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005430118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005430117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005430116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005430115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005430114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 11241100x80000000000000005430113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005430112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 734700x80000000000000005430111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 23542300x80000000000000005430110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD674A35770D24741D251797C763BB8B,SHA256=A58F7DAA3DE37DC3A796C717CD9C11F8E156ED1A0B8C4F3D5D8B069C066610DEfalsetrue 734700x80000000000000005430109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 23542300x80000000000000005430108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E98463FD954D781D8C8E7900063CC7C,SHA256=861615169483BE36A0FF452F7708CD17E05200C1EDE369523341B83E6A2EFEFCfalsetrue 734700x80000000000000005430107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005430106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005430105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 11241100x80000000000000005430104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005430103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41DCCB3EDF60C0902E346A1533BBBB98,SHA256=D940948493A1EB87182BFF5F9910718FF20BD05FBF5E97953BEC7D2230A1DC3Ffalsetrue 23542300x80000000000000005430102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07488907CB1708259A26E447B4448660,SHA256=A2EDFACAC5E12B3F2A29DF302CF23F1391FE29CAC496C3D44A19A3CD851A23ADfalsetrue 734700x80000000000000005430101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005430100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005430099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:21.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005430097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.284{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.269{4DF467A6-FD7D-6138-35D4-00000000F001}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005430094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.268{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:21.268{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.268{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:21.268{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:21.268{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:21.268{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005430530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.799{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005430529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.784{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005430528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.784{4DF467A6-FD7E-6138-37D4-00000000F001}14647124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.784{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005430526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.784{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005430525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 12241200x80000000000000005430524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.737{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005430501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.721{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.721{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F925F4A62410040BBBA61F071BD5A54,SHA256=84BECB470AD77C991EE2375277FCA3F618580E2FE2F931FF4FDD4C4301222FE2falsetrue 734700x80000000000000005430499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.674{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005430498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.674{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005430497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.674{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005430496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:22.674{4DF467A6-FD7E-6138-37D4-00000000F001}1464\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005430495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005430494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005430493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005430492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005430491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005430489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005430488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005430485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005430483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005430482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005430479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005430478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005430476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005430475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005430474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005430473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005430472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005430471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005430470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005430469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005430468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005430467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005430465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005430464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005430463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005430462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005430461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005430459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005430458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000005430457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.659{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005430456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.659{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.644{4DF467A6-FD7E-6138-37D4-00000000F001}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005430453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:22.643{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:22.643{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:22.643{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:22.643{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:22.643{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:22.643{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005430447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005430446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD674A35770D24741D251797C763BB8B,SHA256=A58F7DAA3DE37DC3A796C717CD9C11F8E156ED1A0B8C4F3D5D8B069C066610DEfalsetrue 23542300x80000000000000001535833Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:22.556{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC278AC5BB315BE555F9AD422BBBC4B,SHA256=FEDA9813A94ACCA3EFBD980F1087A608C7F539FE1BF9BA4C7E0996457D2361EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005430445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005430444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4359A4EC20AFFDD7A48117C119CF316D,SHA256=964C0A04E5BAD67ECD2E2B18229DAFDCC005AE1DC3F6FA1D19D26874D04A9513falsetrue 534500x80000000000000005430443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.096{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005430442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.096{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005430441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.096{4DF467A6-FD7D-6138-36D4-00000000F001}72366696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.096{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005430439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:22.096{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000005430438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005430434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:21.971{4DF467A6-FD7D-6138-36D4-00000000F001}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 12241200x80000000000000005430433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:22.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000001535834Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:23.575{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF35735A2CD473FEF2AA6C99F74A3C8,SHA256=FF53A1596DEE83305300A893434058A98831E471D7A5DF704D5A1AB3AE75B1F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005430642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005430641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005430640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005430639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005430638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005430637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005430636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005430635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005430634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005430632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.893{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005430631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005430630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005430629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005430628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005430627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005430626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005430625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005430624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005430623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005430622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005430621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005430620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005430619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005430618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005430617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005430616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005430613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005430612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005430611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005430608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005430604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005430602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005430601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:23.877{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005430599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.868{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005430596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.862{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:23.862{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.862{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:23.862{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.862{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:23.862{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005430590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082E87754B9A2749A228755114A2F136,SHA256=EDCDA9E7737643D185C8FB3DF1CB7A2342BF2C7E7D52E4BEA319D317E436BE83falsetrue 11241100x80000000000000005430588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005430587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=428C74DFB7464F81B5E86BB604A87848,SHA256=58588D1F8448270CFA94A8BA93F00AAF52E1D790F3E2DE1B6E1F080AE1A09CECfalsetrue 534500x80000000000000005430586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.471{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005430585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.471{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005430584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.471{4DF467A6-FD7F-6138-38D4-00000000F001}69123440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.471{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005430582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.471{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005430581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.362{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005430580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.362{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005430579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.362{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005430578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005430577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005430576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005430575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005430574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005430573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005430571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005430570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005430567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005430565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005430564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005430561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005430560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005430558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005430557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005430556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005430555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005430554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005430553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005430552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005430551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005430550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005430548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005430547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005430546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005430545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005430544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005430542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005430541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005430540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005430539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.346{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.331{4DF467A6-FD7F-6138-38D4-00000000F001}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005430536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.330{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:23.330{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.330{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:23.330{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:23.330{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:23.330{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535836Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:24.577{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC677C889FAA84173DC4CF9F5494747A,SHA256=425EF453B5AD7432E774A2F508A04707EE0A0CA36F2154A71CE5610D57430A91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005430732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.971{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005430731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.971{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2A25AED55B379E4323C7F012F7CA647,SHA256=9F7E116F8E27BF3C82CFEAB1F12DBA77D082BFAC17769EECD3245DFDBC050AA6falsetrue 534500x80000000000000005430730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.659{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005430729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.659{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005430728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.659{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005430727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.659{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005430726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.549{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005430725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.549{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005430724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005430723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005430722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005430721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005430720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005430719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005430718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005430716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005430715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005430712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005430710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005430709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005430708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005430705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005430704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005430702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005430701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005430700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005430699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005430698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005430697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005430696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005430695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005430694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005430692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005430691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005430690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005430689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005430688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005430686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005430685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005430684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005430683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.534{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.519{4DF467A6-FD80-6138-3AD4-00000000F001}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005430680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:24.518{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:24.518{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:24.518{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:24.518{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:24.518{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:24.518{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005430674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24351F8317640B342FE114FD9156B707,SHA256=C68E2D6746ED1DCAF8FC2DEF90A586AED2951F95C033E05153FE1EBE64876E80falsetrue 23542300x80000000000000001535835Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:24.176{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA33D3AADDDD55C91104B44B489ABE5,SHA256=612543CC277B6E7861B8EBDA2F66A0192AA43C19056BEF9B78E2ED5F84257AC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005430672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD8AA3A278D35A7E6D614C7C6D23C3F,SHA256=44F79321F50340F5FCB990C74D9DA751CAD887089082453781C2E737230C2380falsetrue 534500x80000000000000005430670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.049{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005430669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.049{4DF467A6-FD7F-6138-39D4-00000000F001}52321988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.049{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005430667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.034{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000005430666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005430663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:23.877{4DF467A6-FD7F-6138-39D4-00000000F001}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 12241200x80000000000000005430662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:24.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000001535838Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:25.580{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20297F465369D6A37624754F9F119714,SHA256=0FD30CE2BA999201AEA3403B972755342B2B57689300254F9196A08536DB3193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005431835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}72886636C:\Windows\system32\conhost.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005431832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000005431831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005431821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.862{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 12241200x80000000000000005431820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000005431817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x80000000000000005431806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.862{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 12241200x80000000000000005431801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005431776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.862{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 12241200x80000000000000005431775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005431754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005431753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000005431752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x80000000000000005431748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000005431741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005431739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.862{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 12241200x80000000000000005431738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000005431730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005431724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005431723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005431722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005431721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005431720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4583 (rs1_release.210730-1850)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=2FB0A16E47FFDD4CBB3E80E58ECD8AE1,SHA256=943949336C9A3707F0A9FFD76A6D20278B6EE72513E8D193D04B27133C36B7C6trueMicrosoft WindowsValid 12241200x80000000000000005431719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005431716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.862{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 12241200x80000000000000005431715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005431693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000005431692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005431691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005431690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005431689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000005431688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.973{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exe 734700x80000000000000005431687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005431686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005431685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005431684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.971{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000005431683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005431681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005431680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005431679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005431668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 12241200x80000000000000005431667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.846{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 12241200x80000000000000005431664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 12241200x80000000000000005431658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005431652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005431651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005431650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-3FD4-00000000F001}12727668C:\Windows\SysWOW64\rundll32.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|C:\Windows\AppPatch\AcLayers.DLL+1b887(wow64)|C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl+43f7(wow64)|C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl+41e1(wow64)|C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl+2c37(wow64)|C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl+1273(wow64)|C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl+14d8(wow64)|C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl+15be(wow64)|C:\Windows\SYSTEM32\ntdll.dll+6ea4e(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3eea6(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52fcc(wow64) 154100x80000000000000005431649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.966{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl 12241200x80000000000000005431648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005431645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.846{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 12241200x80000000000000005431644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.955{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005431623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.940{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005431622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.940{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.830{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 12241200x80000000000000005431616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.940{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005431593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.784{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 12241200x80000000000000005431592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.909{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.784{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 12241200x80000000000000005431569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.893{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.784{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005431545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005431544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640D14EDFD057BA371E836C91C8DC0EE,SHA256=0C0A78223CFED194EAC172A6977FE6A58DD1953213DE8600CAAD469897188D62falsetrue 12241200x80000000000000005431543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.612{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 12241200x80000000000000005431539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 354300x80000000000000001535837Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.715{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60656-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x80000000000000005431516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.612{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 12241200x80000000000000005431514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.643{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005431489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.596{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 12241200x80000000000000005431488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.596{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 12241200x80000000000000005431464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.596{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 12241200x80000000000000005431439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.580{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\AppPatch\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=3662AA8F2034650E7C045F1BCA730DDC,SHA256=55FEF94CB7F703BEB70D199F749364219DAE1D13E915389E3F4A2A230B5EBEB6trueMicrosoft WindowsValid 12241200x80000000000000005431417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.580{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 12241200x80000000000000005431390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.580{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 12241200x80000000000000005431360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.596{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.565{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x80000000000000005431335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.549{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x80000000000000005431313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005431312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.565{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x80000000000000005431311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005431285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.549{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 12241200x80000000000000005431284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005431264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005431263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B946D654857F54A816752BB02D54206,SHA256=B93BBB83FDD501EE8DC2345B69CFFFF05762DC06AC62FE6ACBA0AFD3066F429Dfalsetrue 12241200x80000000000000005431262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005431259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.549{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 12241200x80000000000000005431258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.565{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000005431235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005431231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.534{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005431230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.549{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005431229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.549{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 11241100x80000000000000005431209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005431208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34900DCA08976B25F03298EBE5D268D,SHA256=893DB5A3E3DE0AE243D22E35E0E8C4A1239A17AB5215DE945FEC0A930638451Dfalsetrue 12241200x80000000000000005431207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005431202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.534{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02trueMicrosoft WindowsValid 12241200x80000000000000005431201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 534500x80000000000000005431187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.534{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exe 12241200x80000000000000005431186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 534500x80000000000000005431180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.534{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exe 12241200x80000000000000005431179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.534{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005431176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000005431175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005431173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667trueMicrosoft WindowsValid 12241200x80000000000000005431172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005431151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005431150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}72486960C:\Windows\system32\rundll32.exe{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\Shell32.dll+2b55e2|C:\Windows\System32\Shell32.dll+2b584b|C:\Windows\System32\Shell32.dll+2b6af6|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005431149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.528{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cplC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl 12241200x80000000000000005431148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 12241200x80000000000000005431146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005431136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValid 12241200x80000000000000005431135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000005431120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005431118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000005431117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005431116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005431115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000005431114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000005431112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 12241200x80000000000000005431110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005431108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005431107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000005431106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005431104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000005431103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005431097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975EtrueMicrosoft WindowsValid 12241200x80000000000000005431096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 12241200x80000000000000005431094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005431084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000005431083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.518{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005431078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005431077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005431076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005431075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005431074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x80000000000000005431073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69trueMicrosoft WindowsValid 12241200x80000000000000005431071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005431068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005431067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000005431066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005431060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 12241200x80000000000000005431059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x80000000000000005431051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000005431049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005431039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005431038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005431037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000005431036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005431035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 10341000x80000000000000005431034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005431033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}45606648C:\Windows\system32\control.exe{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5|C:\Windows\system32\control.exe+1f00|C:\Windows\system32\control.exe+1094|C:\Windows\system32\control.exe+14d7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005431032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.508{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cplC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.execontrol.exeC:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl 12241200x80000000000000005431031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005431025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x80000000000000005431024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000005431005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005431004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005431003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005431002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000005431001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005431000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005430999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005430998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 10341000x80000000000000005430997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005430996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000005430994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000005430993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.502{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 12241200x80000000000000005430992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005430988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 12241200x80000000000000005430987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005430963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 12241200x80000000000000005430962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005430942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.471{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.471{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000005430940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.471{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 10341000x80000000000000005430939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005430938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x80000000000000005430937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000005430934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 10341000x80000000000000005430933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005430932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.455{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000005430930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000005430928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005430912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\control.exe10.0.14393.0 (rs1_release.160715-1616)Windows Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationCONTROL.EXEMD5=924219B426830FF7476AF7D22AE91DE1,SHA256=CB089C50698BEE280244437BCAF56D3955402A582E5E928DBC8812A5D9C0EF4DtrueMicrosoft WindowsValid 12241200x80000000000000005430911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005430904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005430903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005430902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005430901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005430900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000005430899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x80000000000000005430898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005430894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005430890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005430889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000005430888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 12241200x80000000000000005430886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x80000000000000005430884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005430882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005430873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.424{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2trueMicrosoft WindowsValid 12241200x80000000000000005430872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005430865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000005430864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005430859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005430858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005430857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3CD4-00000000F001}80405152C:\Windows\system32\cmd.exe{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\system32\control.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.443{4DF467A6-FD81-6138-3DD4-00000000F001}4560C:\Windows\System32\control.exe10.0.14393.0 (rs1_release.160715-1616)Windows Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationCONTROL.EXEcontrol.exe C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=924219B426830FF7476AF7D22AE91DE1,SHA256=CB089C50698BEE280244437BCAF56D3955402A582E5E928DBC8812A5D9C0EF4D{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "control.exe C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl" 12241200x80000000000000005430854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.440{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005430852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.440{4DF467A6-9719-6137-95A6-00000000F001}49965928C:\Windows\system32\conhost.exe{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.424{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000005430850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.424{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.424{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005430848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.424{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.424{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005430846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.424{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFE488CB593) 10341000x80000000000000005430845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.424{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.424{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff2995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff27fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+8807b92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87feaa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64)|UNKNOWN(00007FFE48915AE8) 154100x80000000000000005430843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.418{4DF467A6-FD81-6138-3CD4-00000000F001}8040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "control.exe C:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005430842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.409{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-09-08 18:14:25.409 11241100x80000000000000005430841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.409{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-09-08 18:14:25.409 534500x80000000000000005430840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.299{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005430839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.299{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005430838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.299{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005430837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.284{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000005430836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005430834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 12241200x80000000000000005430833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005430809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005430808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005430807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 12241200x80000000000000005430806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005430805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005430803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005430789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005430788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005430787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005430786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005430785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005430784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5A153FAA33D2D991F512717CC8AEDE,SHA256=98C8180B06B73A7AAA4E90AB3888EECFF325030986C81669D0423F0AD4353327falsetrue 734700x80000000000000005430783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.174{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005430782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.174{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005430781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.174{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005430780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:25.174{4DF467A6-FD81-6138-3BD4-00000000F001}7344\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005430779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.174{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005430778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005430777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005430776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005430775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005430774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005430773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005430772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005430771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005430770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005430769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005430768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005430767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005430766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005430765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005430764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005430763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005430762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005430761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005430760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005430759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005430758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005430757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005430756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005430755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005430754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005430753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005430752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005430751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005430750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005430749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005430748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005430747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005430746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005430745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005430744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005430743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005430742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005430741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005430740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.159{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005430739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.144{4DF467A6-FD81-6138-3BD4-00000000F001}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005430738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:25.143{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:25.143{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:25.143{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:25.143{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005430734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:14:25.143{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005430733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:14:25.143{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005433612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005433611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532F98B06A83682DED81B7B21B16D993,SHA256=CEF79EB0F51C1D44CCEFB217A866DBA165ADAE8E01744F4A8A56C38C272D20EEfalsetrue 11241100x80000000000000005433610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005433609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EA9B37DAEBCA60CAA89B8E8E9DC75562,SHA256=E107D97AD6A408D0C7CBDDDCB322C7AD28603906E2BC284F637A192C37B6ACF2falsetrue 11241100x80000000000000005433608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005433607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42D70C93718F0EEE9EE6FA917F17392C,SHA256=934E2FAFFE1E3848CEE93D73582720519EA20887C087E7874EE4C5DB4BDB6F8Efalsetrue 11241100x80000000000000005433606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005433605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=41A52DCFD0492F8A0A2131C9D1349156,SHA256=6B2074AC4710253458ECD0ADEEB6E7C4CCDEA7D1C863444C36C8C972F2F3C98Bfalsetrue 12241200x80000000000000005433604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005433602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValid 12241200x80000000000000005433601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.777{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.761{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.761{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005433577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000005433573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005433569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005433568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04F4\VirtualDesktopBinary Data 10341000x80000000000000005433566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005433565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04F4 10341000x80000000000000005433564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.761{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005433558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.712{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.712{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005433556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.549{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=31B320D99570E7D6FFE82CED32FD3863,SHA256=66782B6B23A96A8CA8D1B6EEACA4296683B90DB006015D00DBC4E3B8D51B5995trueMicrosoft WindowsValid 12241200x80000000000000005433555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.712{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.711{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.700{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.700{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005433532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.534{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 12241200x80000000000000005433531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.700{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.700{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.700{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.700{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.699{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.697{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.682{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.682{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 12241200x80000000000000005433505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005433503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.534{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 12241200x80000000000000005433502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.681{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.678{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005433477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 12241200x80000000000000005433476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.677{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.674{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005433454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXEMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301trueMicrosoft WindowsValid 12241200x80000000000000005433453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.673{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.672{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.671{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.662{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.662{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.487{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 12241200x80000000000000005433427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.658{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.622{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.622{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.456{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 12241200x80000000000000005433400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.619{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005433372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.456{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValid 12241200x80000000000000005433371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.615{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.613{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005433346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.456{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 12241200x80000000000000005433345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.610{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.610{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.610{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.610{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.610{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.609{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.456{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x80000000000000005433319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005433316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x80000000000000005433315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.604{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005433295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.596{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 13241300x80000000000000005433294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.596{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x80000000000000005433293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.596{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005433292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.596{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005433291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.596{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005433290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005433286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.440{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=770C1528B78CC7B2BBF0AF74CEF0C201,SHA256=100514AA8D39939A9619BA454C25B570F35CFD864DC347B45F5F144CA47E7AB6trueMicrosoft WindowsValid 12241200x80000000000000005433285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005433263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.440{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 12241200x80000000000000005433262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005433239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.580{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011050E\VirtualDesktopBinary Data 12241200x80000000000000005433238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.580{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011050E 12241200x80000000000000005433237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005433236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005433235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005433232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.424{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 12241200x80000000000000005433231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005433209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.565{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x80000000000000005433208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.565{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 12241200x80000000000000005433207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005433202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.424{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=039F872B9E944D6588D144FE08B79A82,SHA256=6E9B077330E005F81EF80753673E873A0A73E55DBE50E586B52516D92EF0B6C7trueMicrosoft WindowsValid 12241200x80000000000000005433201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 10341000x80000000000000005433186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.565{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005433185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005433182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.565{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005433181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005433176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.424{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 12241200x80000000000000005433175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.565{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.424{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ieframe.dll11.00.14393.4583 (rs1_release.210730-1850)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=808D1FF9595090E003169ECCF5A01998,SHA256=F4211A12B2FA4DC0FBD6A302B8992047BC96A1E9E015D53205C42F909C87E95DtrueMicrosoft WindowsValid 12241200x80000000000000005433153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.534{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 534500x80000000000000005433128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.534{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exe 734700x80000000000000005433127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD81-6138-3ED4-00000000F001}7248C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005433126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x80000000000000005433125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000005433124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 534500x80000000000000005433123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exe 734700x80000000000000005433122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x80000000000000005433121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 10341000x80000000000000005433120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 734700x80000000000000005433117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 12241200x80000000000000005433116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000005433115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000005433114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 534500x80000000000000005433113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exe 734700x80000000000000005433112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000005433111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005433110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000005433109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000005433108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000005433107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 12241200x80000000000000005433106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011050E 734700x80000000000000005433105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 13241300x80000000000000005433104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\pzq.rkrBinary Data 10341000x80000000000000005433102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005433101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000005433100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 10341000x80000000000000005433099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005433096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005433095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 534500x80000000000000005433094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe 734700x80000000000000005433093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x80000000000000005433092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000005433091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005433090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x80000000000000005433089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005433088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005433087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.518{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x80000000000000005433086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005433085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005433084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005433083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 534500x80000000000000005433082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exe 734700x80000000000000005433081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005433080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005433079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005433078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005433077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005433076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005433075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000005433074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.502{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings 12241200x80000000000000005433073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.502{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings 10341000x80000000000000005433072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005433071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.502{4DF467A6-FD82-6138-42D4-00000000F001}22005856c:\windows\SysWOW64\calc.exe{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\windows.storage.dll+1b9a58(wow64)|C:\Windows\System32\windows.storage.dll+1b9895(wow64)|C:\Windows\System32\windows.storage.dll+1b98f8(wow64)|C:\Windows\System32\SHELL32.dll+173251(wow64) 154100x80000000000000005433070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.506{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exec:\windows\system32\calc.exe 12241200x80000000000000005433069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.502{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000005433068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.487{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000005433067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.487{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000005433066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.487{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 10341000x80000000000000005433065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.456{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.456{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005433063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.440{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 12241200x80000000000000005433062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.424{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.424{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005433059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.330{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 12241200x80000000000000005433058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.393{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005433032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.315{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 12241200x80000000000000005433031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005433007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.315{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 12241200x80000000000000005433006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.377{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.315{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 12241200x80000000000000005432981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.299{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=3E0252D377C7905383A3780B13495CA9,SHA256=FD24AD22E174873DEDC5BB091A9E32CF2689063C5B18E79615B3B52081582FADtrueMicrosoft WindowsValid 12241200x80000000000000005432954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.284{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 12241200x80000000000000005432932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.346{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.330{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.330{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005432904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.268{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\Windows.Shell.ServiceHostBuilder.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Shell.ServiceHostBuilderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Shell.ServiceHostBuilder.dllMD5=FA980AB8F03E094783137126D17E568C,SHA256=DADF71326270DBFE2D17A45D5C50A4FCB7A32ACECAB354299977FBB34135BE89trueMicrosoft WindowsValid 12241200x80000000000000005432903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.252{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 12241200x80000000000000005432875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005432852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.252{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 12241200x80000000000000005432851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000005432829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x80000000000000005432828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005432825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.221{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06AtrueMicrosoft WindowsValid 12241200x80000000000000005432824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005432802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.268{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005432801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005432799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.252{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005432798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.252{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005432797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005432789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.159{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\ClipSVC.dll10.0.14393.4169 (rs1_release.210107-1130)Client License ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationClipSVC.dllMD5=96D21C2596ACCF851D333CF78B56ACDB,SHA256=E356FF7A84952095B23AFD106F4A4C164EC31E652D4DE46E2F3B41151184A84DtrueMicrosoft WindowsValid 12241200x80000000000000005432788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005432784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.252{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 12241200x80000000000000005432783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.252{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005432765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.159{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 12241200x80000000000000005432764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.237{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000005432746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.237{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 12241200x80000000000000005432745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.159{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2BtrueMicrosoft WindowsValid 12241200x80000000000000005432743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005432712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.143{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\mintdh.dll10.0.14393.0 (rs1_release.160715-1616)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=32254E75260F1CAE3AB9EAC044B344B7,SHA256=B714E3CDEB23E63894D62E9335F51E301A9093F263623CCEFA2F674AABE7D629trueMicrosoft WindowsValid 12241200x80000000000000005432711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.143{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862trueMicrosoft WindowsValid 12241200x80000000000000005432688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005432660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.143{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\tdh.dll10.0.14393.4283 (rs1_release.210303-1802)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=18D509F5788831270FCDA4D11E023E37,SHA256=08965C78D75432D1E1199E8162B3FB3FE11D89945B69BA48DE6F595FB280E52FtrueMicrosoft WindowsValid 12241200x80000000000000005432659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.205{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 12241200x80000000000000005432634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005432609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 12241200x80000000000000005432608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\AppXDeploymentServer.dll10.0.14393.4530 (rs1_release.210705-0736)AppX Deployment Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentServer.dllMD5=33FBA504974FC48036A4A9C5F57821AA,SHA256=9132BB8E3E11F28C95F9C6E3A6155F003B6089A943A62E7085859A9504C21897trueMicrosoft WindowsValid 12241200x80000000000000005432584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.190{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.174{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000005432562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.174{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 12241200x80000000000000005432561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.096{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7trueMicrosoft Windows PublisherValid 12241200x80000000000000005432555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005432526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.049{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\AppXDeploymentClient.dll10.0.14393.4169 (rs1_release.210107-1130)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=CAB72C75488BEBBCE616BE92273067BC,SHA256=4C45D209A569E056CF52ED53968F926729DB1BF36043101A5798D47B421352C3trueMicrosoft WindowsValid 12241200x80000000000000005432525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 11241100x80000000000000005432516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 12241200x80000000000000005432515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000005432509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C91469E01D751DB2B99278EDE5F0D7C7,SHA256=2CA0BF72C75F1D612C08E2C23B698BD8F95B811112CE02D6FFF7FD4854C29C7Dfalsetrue 10341000x80000000000000005432508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.159{4DF467A6-FD82-6138-43D4-00000000F001}73486292C:\Windows\system32\svchost.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005432507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.159{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x80000000000000005432505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005432498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.049{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 12241200x80000000000000005432497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.143{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638trueMicrosoft WindowsValid 734700x80000000000000005432478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.143{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005432477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.143{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 12241200x80000000000000005432476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949trueMicrosoft WindowsValid 12241200x80000000000000005432474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005432447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7FtrueMicrosoft WindowsValid 12241200x80000000000000005432446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.143{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 12241200x80000000000000005432421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000005432419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005432418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\AtomicRedTeam\atomics\T1218.002\bin\calc.cpl-----MD5=187E6745C0647E05C6624831A40BDA1F,SHA256=28221016EF84D1B2D71C6450AB9DDF30C633C23810A7C7D134A97B41A9045F0Ffalse-Unavailable 734700x80000000000000005432417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005432416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005432415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005432414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005432413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.127{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000005432412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 12241200x80000000000000005432406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005432383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.955{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 12241200x80000000000000005432382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.127{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.940{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 12241200x80000000000000005432356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005432335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-3F46-6132-0A00-00000000F001}6205800C:\Windows\system32\services.exe{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005432334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005432333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005432332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 11241100x80000000000000005432331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 734700x80000000000000005432330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 23542300x80000000000000005432329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFFEB1C79AF466A693A54A877DA016B,SHA256=8E3C925A5F74D031A2747AEAB5BEBE40F17CF54391EB03CC3CCC2826B10CC1AAfalsetrue 734700x80000000000000005432328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005432327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005432326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x80000000000000005432325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x80000000000000005432319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005432315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.940{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=BFCFB0177935E235B1FEBADE3694839D,SHA256=CD1F41DAC68DF0F1F87F18DA18FAE8EB5B4260DFA400BF5392367CB12C0BFF7EtrueMicrosoft WindowsValid 12241200x80000000000000005432314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000005432306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005432296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005432295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.112{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005432294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.096{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000005432293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.096{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005432291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.096{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000005432290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005432286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.940{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 12241200x80000000000000005432285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005432282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 12241200x80000000000000005432281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005432265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.096{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005432264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.096{4DF467A6-3F46-6132-0A00-00000000F001}6206028C:\Windows\system32\services.exe{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005432263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.062{4DF467A6-FD82-6138-43D4-00000000F001}7348C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k wsappxC:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 12241200x80000000000000005432262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005432256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.924{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77trueMicrosoft WindowsValid 12241200x80000000000000005432255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005432233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.924{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 12241200x80000000000000005432232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.096{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005432207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.924{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 12241200x80000000000000005432206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005432179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.924{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEBtrueMicrosoft WindowsValid 12241200x80000000000000005432178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005432147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.924{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 12241200x80000000000000005432146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.080{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.924{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=AA7C77E4D80A83624BACD72A0A22E374,SHA256=E6B8C76FA6163B808D6B797B1227622925E2E861B383FB132C6B3D6BA24D71E3trueMicrosoft WindowsValid 12241200x80000000000000005432129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.065{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005432106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.049{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005432105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.049{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005432104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.049{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005432103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.049{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005432102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 12241200x80000000000000005432101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000005432099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000005432098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 12241200x80000000000000005432097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 12241200x80000000000000005432087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005432077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.893{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 12241200x80000000000000005432076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000005432070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000005432069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x80000000000000005432068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000005432067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000005432066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x80000000000000005432065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005432064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000005432063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x80000000000000005432062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000005432061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005432060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x80000000000000005432059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005432058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005432057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x80000000000000005432056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 23542300x80000000000000001535839Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:26.598{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CA77CFF24300530C0CC6268E9F2B8E,SHA256=FED0B2EB2D6E24EF660A08DCE2C3A668B290060EB1B9E4569E86316652694ADA,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005432055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005432054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 12241200x80000000000000005432053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005432047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 12241200x80000000000000005432046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005432045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.877{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 12241200x80000000000000005432044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000005432032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005432029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005432027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005432026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005432025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005432024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005432023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.034{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005432022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005432021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005432020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005432019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-FD81-6138-40D4-00000000F001}13564168C:\Windows\SysWOW64\cmd.exe{4DF467A6-FD82-6138-42D4-00000000F001}2200c:\windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x80000000000000005432018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.031{4DF467A6-FD82-6138-42D4-00000000F001}2200C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEc:\windows\system32\calc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exe 12241200x80000000000000005432017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005432016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005432015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005432014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005432013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005432011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005432008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.877{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 12241200x80000000000000005432007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005432005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005432004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005432003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 12241200x80000000000000005432002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005432000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 10341000x80000000000000005431987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005431986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.877{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 12241200x80000000000000005431985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005431975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 10341000x80000000000000005431972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.018{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005431963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005431962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.018{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005431960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011050E\VirtualDesktopBinary Data 12241200x80000000000000005431959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011050E 10341000x80000000000000005431958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005431957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005431956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005431955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005431954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000005431953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005431947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.877{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 12241200x80000000000000005431946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000005431939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}965092C:\Windows\explorer.exe{4DF467A6-FD81-6138-40D4-00000000F001}1356C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000005431929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005431926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005431925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005431924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005431923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005431915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.877{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 12241200x80000000000000005431914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005431901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 12241200x80000000000000005431900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 12241200x80000000000000005431896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005431893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005431888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.877{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 12241200x80000000000000005431887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:26.002{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005431871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005431870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005431869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005431868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005431867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005431866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:26.002{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000005431865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005431864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005431863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005431862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.862{4DF467A6-FD81-6138-3FD4-00000000F001}1272C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 12241200x80000000000000005431861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005431860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005431858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005431844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005431843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005431842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005431841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:25.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005431840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005431839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005431838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005431837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005431836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:25.987{4DF467A6-FD81-6138-41D4-00000000F001}7288C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 11241100x80000000000000005433615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:27.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005433614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:27.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32C1CDEEE2C164102FB55B796B697A52,SHA256=C3CA09B83125D7A1A6C648762833DE8C9774AFECC9ED3BE16A0440AF00558153falsetrue 354300x80000000000000005433613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:13.761{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63413-false10.0.1.12-8000- 23542300x80000000000000001535876Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.653{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20D6466B18239981A4F183A2A1181DB,SHA256=3A58354F3463D296C8C22D674A4EB03F9A91F4530F008F6EA07E2EE4AB9D55AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535875Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535874Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535873Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535872Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535871Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535870Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535869Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535868Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535867Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535866Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535865Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535864Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535863Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535862Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535861Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535860Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535859Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535858Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535857Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535856Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535855Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535854Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535853Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535852Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535851Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535850Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535849Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535848Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535847Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535846Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535845Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535844Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535843Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535842Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535841Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535840Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:27.338{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:28.256{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04F4\VirtualDesktopBinary Data 12241200x80000000000000005433632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:28.256{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04F4 534500x80000000000000005433631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:28.194{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exe 12241200x80000000000000005433630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04F4 13241300x80000000000000005433629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005433628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005433627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 10341000x80000000000000005433624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\jva32pnyp.rkrBinary Data 10341000x80000000000000005433622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:28.194{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:28.194{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x80000000000000005433618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:28.194{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005433617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:28.194{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005433616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:28.194{4DF467A6-FD82-6138-44D4-00000000F001}7264C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 23542300x80000000000000001535877Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:28.772{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA8AE17809007CFBBFC9157E5AE36ED,SHA256=EFA6C895E684D281FB879035CFCB8691062B21751EB487E2FA7856E482334A7A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005433702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.944{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.944{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.928{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.928{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 13241300x80000000000000005433693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.928{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C04C8\VirtualDesktopBinary Data 12241200x80000000000000005433692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.928{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C04C8 12241200x80000000000000005433691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.913{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x80000000000000005433690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.913{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x80000000000000005433689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.913{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x80000000000000005433688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.913{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x80000000000000005433687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.913{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000005433686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.913{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 13241300x80000000000000005433685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7LayoutBinary Data 12241200x80000000000000005433684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser 12241200x80000000000000005433683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 13241300x80000000000000005433682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\QatItemsBinary Data 13241300x80000000000000005433681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\MinimizedStateTabletModeOffDWORD (0x00000001) 12241200x80000000000000005433680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon 12241200x80000000000000005433679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon 734700x80000000000000005433678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\UIRibbon.dll10.0.14393.2969 (rs1_release.190503-1820)Windows Ribbon FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationUIRibbon.dllMD5=9D1DA01AD4A8FE3EB9A3AA8C624A3D17,SHA256=CCBCB2185E26DFDCA2F4E1602C30F5765EC1513CCCEE0B78EB4DD8A5E881D6EEtrueMicrosoft WindowsValid 12241200x80000000000000005433677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.803{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 13241300x80000000000000005433676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.803{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LockedDWORD (0x00000001) 12241200x80000000000000005433675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.803{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 734700x80000000000000005433674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=5F9B6C9B05956273CC91C5E70B2456EE,SHA256=F51014AC7DD24D56F5C22D8EB33DC1385C0A0A038C510B974BDE6068B5F335F9trueMicrosoft WindowsValid 734700x80000000000000005433673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 734700x80000000000000005433672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4467 (rs1_release.210604-1844)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=4D2537567A93ABF1D93CB7A7E76F954C,SHA256=5740181B56927C0DC66A6BCECA15EA2806A0ED471A01F785AD47C8C73A1DF85FtrueMicrosoft WindowsValid 734700x80000000000000005433671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.772{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\msftedit.dll10.0.14393.4169 (rs1_release.210107-1130)Rich Text Edit Control, v8.5Microsoft® Windows® Operating SystemMicrosoft CorporationMsftEdit.DLLMD5=0278F6675C79A2013494CDDDCFD6C7B3,SHA256=14F536EB288788586C90DE568BAB6C113D3F4CCD0EE732A17D438A23B225720AtrueMicrosoft WindowsValid 12241200x80000000000000005433670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.741{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 10341000x80000000000000005433669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.741{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005433668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x00000010) 13241300x80000000000000005433667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d7a4dd-0x5dafd0d0) 12241200x80000000000000005433666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000005433665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.741{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000005433664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.725{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 734700x80000000000000005433663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 734700x80000000000000005433662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.725{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 734700x80000000000000005433661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 13241300x80000000000000005433660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000005433658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x80000000000000005433656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x80000000000000005433654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LaunchCountDWORD (0x0000000f) 13241300x80000000000000005433653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A225A5E4-F523-4E7D-8A84-CF07A6F8646E}\LastAccessedTimeQWORD (0x01d7a4dd-0x5dafd0d0) 12241200x80000000000000005433652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000005433651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000005433649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 13241300x80000000000000005433647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere (7).yaxBinary Data 734700x80000000000000005433645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\Windows.Storage.Search.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Storage.SearchMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.Search.dllMD5=17D1040EDBA639BD1C2F7577D1070498,SHA256=E3F2CF21782C856A639525E84FF3C413C7CD091297C9A248CBC24541E2D76584trueMicrosoft WindowsValid 734700x80000000000000005433644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.710{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729trueMicrosoft WindowsValid 734700x80000000000000005433643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.710{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Program Files\7-Zip\7-zip.dll19.007-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=1193CBE87E8C399B0D52C6789AD560ED,SHA256=D7104B8CA24D8BD9BF42675418E7A807FFC738D25D20B613E25C274672B2D530false-Unavailable 734700x80000000000000005433642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.710{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\synceng.dll10.0.14393.0 (rs1_release.160715-1616)Windows Briefcase EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCENG.DLLMD5=A683B60F1A5FAC27D1173F937403ED1B,SHA256=57450827A7F7D880F236F27A1D92654A3284842226539A26F311CFA736083571trueMicrosoft WindowsValid 734700x80000000000000005433641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.710{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\syncui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows BriefcaseMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCUI.DLLMD5=D3CD7E690590A1AD564C832DFE1A1922,SHA256=F3CB2B362A0970B106D8B5F27F80D019931090D3ED579C72182163502BA212B7trueMicrosoft WindowsValid 13241300x80000000000000005433640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:29.694{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005433639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.694{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000005433638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.694{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\twext.dll10.0.14393.4283 (rs1_release.210303-1802)Previous Versions property pageMicrosoft® Windows® Operating SystemMicrosoft Corporationtwext.dllMD5=52DA27C0F880437C2E6DA97516D68EDD,SHA256=D90E5DE35E53C01F57BD201D483A6E03C77F76C7BC497C83F85003F937779425trueMicrosoft WindowsValid 12241200x80000000000000005433637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKCR\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 12241200x80000000000000005433636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:29.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKCR\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 11241100x80000000000000005433635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005433634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:29.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF2DA616963EBB555AB877F88ADE2C63,SHA256=5EC2BF5B9ABBDFB19CF2BD46A5E1131E671A1ED87CA63AE1DEABC6BAB3318D5Cfalsetrue 23542300x80000000000000001535879Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:29.775{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA47B02B6946BE19EB15A96F0A7EC4E,SHA256=CAD6BD26BEFF2E03CF0BEBFD25DC88958AA93B49FA38A9F7F5179839FA7177EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535878Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:29.157{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF430B2C133BDD9FD43ED5DA699F547,SHA256=E97B1F5FD0D49CCC6C0B7F07ECFAA35BFD82E2AFEC319553D5E2C2F68A195F13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005433704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:30.256{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005433703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:30.256{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DFB2B617DF829D88FF60457802CBB444,SHA256=E853B35378DBCC8DC7F3A1780700D130AEA5FDB58EFC079DC472214CB701EADEfalsetrue 23542300x80000000000000001535881Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:30.778{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAC4A18409D6F0CA4EA93AF4BF1131E,SHA256=1AD39DAD0A812B60A391B8D2322786DD7EF949D6664D74A54A785EA107B9B24C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535880Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:22.812{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60657-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x80000000000000005433808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:31.960{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0trueMicrosoft WindowsValid 12241200x80000000000000005433805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005433781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005433780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005433779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005433778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005433777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005433776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000005433775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005433771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:31.944{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.4169 (rs1_release.210107-1130)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=0B283806F6BEEE6509E9F8C3FCA10286,SHA256=4DC982EC3F8B81CF8BF0F56ED5CEF628C28A1620CC12B94CAFADCD7CE684B6E2trueMicrosoft WindowsValid 12241200x80000000000000005433770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.960{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.944{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.944{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005433746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005433741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000005433740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005433739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005433738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000005433737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005433735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005433733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005433732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005433730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005433728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005433727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005433725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005433723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005433722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005433720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005433719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005433718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005433717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000005433716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PIDDWORD (0x00000002) 13241300x80000000000000005433715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29} 13241300x80000000000000005433714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupViewDWORD (0xffffffff) 13241300x80000000000000005433713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfoBinary Data 13241300x80000000000000005433712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\SortBinary Data 13241300x80000000000000005433711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSizeDWORD (0x00000030) 13241300x80000000000000005433710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlagsDWORD (0x41200011) 13241300x80000000000000005433709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewModeDWORD (0x00000002) 13241300x80000000000000005433708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ModeDWORD (0x00000006) 13241300x80000000000000005433707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x80000000000000005433706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlagsDWORD (0x41200001) 13241300x80000000000000005433705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:31.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\RevDWORD (0x00000000) 23542300x80000000000000001535883Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:31.812{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205482BE9A99DE9635B07B53A0150E32,SHA256=6DF6D43384C242E512AF058DEB240E58D38D52DC40DA4F3BF89BD245548B83FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535882Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:31.629{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7172MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005434041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:32.944{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005434040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:32.944{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 12241200x80000000000000005434039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.553{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005434000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.538{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.522{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005433986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005433983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x80000000000000005433982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.147{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005433956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000005433955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.131{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005433934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9CtrueMicrosoft WindowsValid 12241200x80000000000000005433933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005433910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x80000000000000005433909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005433907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005433901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000005433900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005433883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005433882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005433881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000005433880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.116{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005433878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005433877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005433876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005433875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.116{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 10341000x80000000000000005433874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005433873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000005433872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005433871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005433870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x80000000000000005433869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005433867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005433864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000005433863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005433858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164EtrueMicrosoft WindowsValid 12241200x80000000000000005433857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005433854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000005433853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005433843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 10341000x80000000000000005433842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000005433841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005433840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005433839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.100{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005433838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005433837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005433836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.100{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005433835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:32.073{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 12241200x80000000000000005433834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:32.053{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005433833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005433832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005433831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:31.975{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8trueMicrosoft WindowsValid 12241200x80000000000000005433830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005433829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005433827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005433813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005433812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005433811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005433809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:31.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000001535894Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA74961A3C3B53611CA035EA7E13FC96,SHA256=A6799E2C23CBE932D74610E32F999371D1577980AB654451A58F8E0C1A9CC34A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535893Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.642{AEE49BD1-FD88-6138-43CE-00000000F101}37201056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535892Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.630{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7173MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535891Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.514{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD88-6138-43CE-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535890Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.514{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535889Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.514{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535888Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.514{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535887Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.514{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535886Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.514{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD88-6138-43CE-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535885Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.514{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD88-6138-43CE-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535884Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:32.499{AEE49BD1-FD88-6138-43CE-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000005434201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.210{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local61366- 354300x80000000000000005434200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.209{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63500- 354300x80000000000000005434199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.208{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local59379- 354300x80000000000000005434198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.208{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56661- 354300x80000000000000005434197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.207{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local51608- 354300x80000000000000005434196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.206{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local63455- 12241200x80000000000000005434195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000005434194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 13241300x80000000000000005434193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell 12241200x80000000000000005434191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40 12241200x80000000000000005434190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\MRUListExBinary Data 13241300x80000000000000005434188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\NodeSlotDWORD (0x00000028) 13241300x80000000000000005434187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListExBinary Data 12241200x80000000000000005434185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.741{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 13241300x80000000000000005434184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6Binary Data 12241200x80000000000000005434183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.725{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 354300x80000000000000005434165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.203{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61691- 354300x80000000000000005434164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.203{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local58773- 354300x80000000000000005434163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.202{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60175- 354300x80000000000000005434162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.201{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local49371- 354300x80000000000000005434161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.201{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63833- 354300x80000000000000005434160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.200{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local59648- 354300x80000000000000005434159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.200{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58784- 354300x80000000000000005434158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.199{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57191- 354300x80000000000000005434157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56013- 354300x80000000000000005434156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local60381- 354300x80000000000000005434155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.196{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61808- 354300x80000000000000005434154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.195{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local61053- 354300x80000000000000005434153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.195{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59343- 354300x80000000000000005434152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.194{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local50312- 354300x80000000000000005434151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.194{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63118- 354300x80000000000000005434150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.193{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local59973- 354300x80000000000000005434149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.193{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56824- 354300x80000000000000005434148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.192{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local60416- 354300x80000000000000005434147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.191{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51128- 354300x80000000000000005434146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.191{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local61650- 354300x80000000000000005434145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.190{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58281- 354300x80000000000000005434144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.189{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62930- 354300x80000000000000005434143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.188{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local63805- 354300x80000000000000005434142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.188{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62527- 354300x80000000000000005434141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.187{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local56013- 354300x80000000000000005434140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.186{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58586- 354300x80000000000000005434139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.186{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65189- 354300x80000000000000005434138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.186{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65189-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domain 354300x80000000000000005434137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.185{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57518- 354300x80000000000000005434136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.185{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local59827- 354300x80000000000000005434135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.184{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56740- 354300x80000000000000005434134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.184{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56961- 354300x80000000000000005434133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.183{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local65089- 354300x80000000000000005434132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.183{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61985- 354300x80000000000000005434131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.182{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local51627- 354300x80000000000000005434130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.181{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51260- 354300x80000000000000005434129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.181{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local61396- 354300x80000000000000005434128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.180{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50046- 354300x80000000000000005434127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.179{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local62012- 354300x80000000000000005434126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.179{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-291.attackrange.local62012-false10.0.1.14win-dc-291.attackrange.local53domain 354300x80000000000000005434125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.179{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62891- 354300x80000000000000005434124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.179{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62891-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domain 354300x80000000000000005434123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.172{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63416-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005434122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.172{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63416-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005434121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.172{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63415-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005434120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:20.172{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63415-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005434119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:19.812{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63414-false10.0.1.12-8000- 12241200x80000000000000005434118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.272{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.272{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 13241300x80000000000000005434116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.272{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.272{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.256{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005434113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.241{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005434112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.241{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 12241200x80000000000000005434111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.241{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 13241300x80000000000000005434110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.241{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.241{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005434104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000005434102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderTypeDocuments 12241200x80000000000000005434094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell 12241200x80000000000000005434093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 12241200x80000000000000005434069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000005434063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PIDDWORD (0x00000004) 13241300x80000000000000005434062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID{B725F130-47EF-101A-A5F1-02608C9EEBAC} 13241300x80000000000000005434061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupViewDWORD (0xffffffff) 13241300x80000000000000005434060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfoBinary Data 13241300x80000000000000005434059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\SortBinary Data 13241300x80000000000000005434058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSizeDWORD (0x00000030) 13241300x80000000000000005434057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewModeDWORD (0x00000002) 13241300x80000000000000005434055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ModeDWORD (0x00000006) 13241300x80000000000000005434054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid{65F125E5-7BE1-4810-BA9D-D271C8432CE3} 13241300x80000000000000005434053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\RevDWORD (0x00000000) 12241200x80000000000000005434051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} 12241200x80000000000000005434050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.225{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.022{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.022{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:33.022{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 10341000x80000000000000001535914Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.900{AEE49BD1-FD89-6138-45CE-00000000F101}29245804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535913Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.816{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACA7D36AC1D3E008419AFD59AD3F0D9,SHA256=2E0B177AD0DB9DC84B3312F57A0C4F5FAC62DEFEDA0FAB21789E11E6CD6C2BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535912Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.784{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD89-6138-45CE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535911Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.784{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535910Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.784{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535909Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.784{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535908Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.784{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535907Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.784{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD89-6138-45CE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535906Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.784{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD89-6138-45CE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535905Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.770{AEE49BD1-FD89-6138-45CE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535904Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.515{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EBE90A02C47CB2BB290B4C1FD101D99,SHA256=A0DDE7C961C97BEE56EC8B0043138D3619B46A4EE803552D55F6DEE5DAE17C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535903Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.299{AEE49BD1-FD89-6138-44CE-00000000F101}52645516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535902Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.183{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD89-6138-44CE-00000000F101}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535901Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.183{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535900Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.183{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535899Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.183{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535898Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.183{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535897Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.183{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD89-6138-44CE-00000000F101}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535896Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.183{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD89-6138-44CE-00000000F101}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535895Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:33.169{AEE49BD1-FD89-6138-44CE-00000000F101}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000005434331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.866{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000005434325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.850{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005434304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005434303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000005434302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.835{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005434296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005434294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\SniffedFolderTypeGeneric 12241200x80000000000000005434293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell 12241200x80000000000000005434292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000005434264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000005434263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005434262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000005434261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000005434260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000005434259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000005434258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x80000000000000005434257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000005434256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000005434255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000005434254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000005434252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000005434251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.819{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.788{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000005434223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 11241100x80000000000000005434221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005434220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7C4F5F71A59FF98BC7613F3E3F8A980,SHA256=B22C26B058A80E213541FE89911BB97ECC9ECED2C211A21BADB997DDB64797DEfalsetrue 11241100x80000000000000005434219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005434218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB24E9421D3CF331AE479565DCF426D4,SHA256=BC170F086FC56CB338531F3820439BC205E999ACB29250269DA66133D9ADEB90falsetrue 11241100x80000000000000005434217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005434216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9167F1E9B8EAE0252429BC90ED8A7A47,SHA256=717987C91488317461EF954FE8729CFCB4C2C27AE0287E8C8F8B35DF568944C3falsetrue 11241100x80000000000000005434215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005434214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:34.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B959CAA73069BD41B0262B43D7B076FE,SHA256=5C1B75FC10642BE5742A737F7C9C46DD499DD9F7AA31A0D95B75C16A31BBBBF2falsetrue 12241200x80000000000000005434213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000005434212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:34.210{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9752b235-0000-0000-0000-100000000000} 23542300x80000000000000001535916Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:34.835{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676B64B7E99A608A4F88F3FEA0A5133B,SHA256=09E79D65D61E12E98B6150F5B39D9B88147CCCCB44A4E071BEA37F8C942BF337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535915Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:34.786{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF75761E6D49DA3076B98706148C88F2,SHA256=F64820A78574B5AB5AFA67CE56144D6221C487349F04C5A01DE462CB92744AC8,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005434375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.897{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000005434363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 13241300x80000000000000005434362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell 12241200x80000000000000005434360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41 12241200x80000000000000005434359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\MRUListExBinary Data 13241300x80000000000000005434357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\NodeSlotDWORD (0x00000029) 13241300x80000000000000005434356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\MRUListExBinary Data 12241200x80000000000000005434354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 13241300x80000000000000005434353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0Binary Data 12241200x80000000000000005434352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:35.350{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x80000000000000001535917Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:35.840{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555E21B3F9240622F4DC09D981692323,SHA256=008834B6BEA572D11DD528859E1D6A5843B4889F3DF865C4FC33B005372E02B0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005434545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\43\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\43\Shell 12241200x80000000000000005434543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\43 12241200x80000000000000005434542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1\MRUListExBinary Data 13241300x80000000000000005434540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1\NodeSlotDWORD (0x0000002b) 13241300x80000000000000005434539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\MRUListExBinary Data 12241200x80000000000000005434537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1 13241300x80000000000000005434536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1Binary Data 12241200x80000000000000005434535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.991{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\0 12241200x80000000000000005434509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\0 12241200x80000000000000005434504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.631{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\42\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\42\Shell 12241200x80000000000000005434495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\42 12241200x80000000000000005434494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\0\MRUListExBinary Data 13241300x80000000000000005434492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\0\NodeSlotDWORD (0x0000002a) 13241300x80000000000000005434491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\MRUListExBinary Data 12241200x80000000000000005434489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\0 13241300x80000000000000005434488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\0Binary Data 12241200x80000000000000005434487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.616{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.163{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.163{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.163{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.163{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000005434456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.147{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.116{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005434431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.116{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005434430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.116{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000005434429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005434423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.100{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005434421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\SniffedFolderTypeGeneric 12241200x80000000000000005434420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000005434397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000005434396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005434395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000005434394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000005434393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000005434392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000005434391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000005434389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000005434388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000005434387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000005434385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000005434384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:36.085{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x80000000000000001535919Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:36.862{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3260969D01883565E4C7652942CAB12,SHA256=43DEA2F49449E98862C67DC2892F06B57959D2FCE2384A962F3C39890DC931E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535918Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:28.826{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60658-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x80000000000000005434574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000005434573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000005434572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1 12241200x80000000000000005434571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1 12241200x80000000000000005434566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1 12241200x80000000000000005434558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\1 12241200x80000000000000005434553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:37.663{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 534500x80000000000000005434546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:37.131{4DF467A6-FD88-6138-45D4-00000000F001}6060C:\Windows\System32\dllhost.exe 23542300x80000000000000001535920Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:37.864{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF0EC04ACF32192947EC16909F6EBA0,SHA256=D50A1C2F12C95C7031B7E25B1063FA05ED288B4DB31D47C17E0746624EF76785,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005434609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\44\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\44\Shell 12241200x80000000000000005434607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\44 12241200x80000000000000005434606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\2\MRUListExBinary Data 13241300x80000000000000005434604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\2\NodeSlotDWORD (0x0000002c) 13241300x80000000000000005434603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\MRUListExBinary Data 12241200x80000000000000005434601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\2 13241300x80000000000000005434600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\2Binary Data 12241200x80000000000000005434599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:38.600{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x80000000000000001535921Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:38.898{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5525D15480CD45D6EC18DD8F0EF483,SHA256=6733685D5D2E9D7F59215FEEFA5A852E0D5F7C2DF3F4FA3FF8EBCB133D4B7642,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005434675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:39.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005434674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:39.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDD823EB0070332DAA4BAEDA8F39ABA,SHA256=7BC1B4509310561F3C7F46C0CC91776549E91CFD85556DA9B83A8234E7814E0Bfalsetrue 12241200x80000000000000005434673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3 12241200x80000000000000005434672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3 12241200x80000000000000005434667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3 12241200x80000000000000005434659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3 12241200x80000000000000005434654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.647{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\45\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\45\Shell 12241200x80000000000000005434645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\45 12241200x80000000000000005434644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3\MRUListExBinary Data 13241300x80000000000000005434642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3\NodeSlotDWORD (0x0000002d) 13241300x80000000000000005434641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\MRUListExBinary Data 12241200x80000000000000005434639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3 13241300x80000000000000005434638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\3Binary Data 12241200x80000000000000005434637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:39.413{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 354300x80000000000000005434612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:24.874{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63417-false10.0.1.12-8000- 11241100x80000000000000005434611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:39.038{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005434610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:39.038{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DBEF5159F6667051534F81BA71E66CD,SHA256=88D4527037CD99742FE730AF6D6689B8CFEDD6690F21C41E77C59FB54C9D6660falsetrue 23542300x80000000000000001535922Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:39.901{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2D8E8C5601C531E529527D426B414D,SHA256=822B36C7BF6F7EE3A5461BEDE7B049EEB5923A8782F6BA37AC1636B51D284941,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005434736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4 12241200x80000000000000005434735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4 12241200x80000000000000005434730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4 12241200x80000000000000005434722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4 12241200x80000000000000005434717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.678{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\46\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\46\Shell 12241200x80000000000000005434708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\46 12241200x80000000000000005434707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4\MRUListExBinary Data 13241300x80000000000000005434705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4\NodeSlotDWORD (0x0000002e) 13241300x80000000000000005434704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\MRUListExBinary Data 12241200x80000000000000005434702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4 13241300x80000000000000005434701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\4Binary Data 12241200x80000000000000005434700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:40.585{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x80000000000000001535923Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:40.904{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12390984FD080999B3B8BB4D755E8F7B,SHA256=A3365B5106ADD06A178C45711E3B13CEA5FF341A290E3F2CB65E8FC84F46AF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535927Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:41.906{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AF9E6490EA5149EE7310E7587A5D9C,SHA256=75EC1E14F8C461AE50B34C0A13935356046264F20E13A471A93DB2C98DEC5E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535926Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:34.808{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60659-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535925Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:41.154{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=049EC4B7D1BE8B2BB77919DA41370297,SHA256=3C8EFB3E2208742AE5447C7AF96220ED65305B81EA31940CC53D5C71C7A4A69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535924Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:41.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DECBA9B6234099816D72F69BE97666F1,SHA256=DED9626395C3F5FC1C8703D2F52A2365BD25CDA3D3E2976DC41F805EFF16C9F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005434887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:42.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005434886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:42.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0A2BC806EDCE090AFD4A782ED91648,SHA256=D2145B18BCA1807B2E85D18D9B2C2ADE20D831CCA87114DD24416BC7B08D9628falsetrue 11241100x80000000000000005434885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:42.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005434884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:42.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC92B02020CE948161669DFAF7DA051B,SHA256=BB26465857397DFF07A010F2B131C9B43FDAEE5A5AFD752AB52D792449F9CCFBfalsetrue 13241300x80000000000000005434883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000002504A2\VirtualDesktopBinary Data 12241200x80000000000000005434882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000002504A2 13241300x80000000000000005434881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.508{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.508{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000005434875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005434847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005434846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005434845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000005434844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005434841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005434840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005434838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005434837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005434836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\SniffedFolderTypeGeneric 12241200x80000000000000005434835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000005434808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000005434807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005434806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000005434805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000005434804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000005434803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000005434802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000005434800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000005434799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000005434798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000005434796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\41\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000005434795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.445{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.428{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell 12241200x80000000000000005434769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47 12241200x80000000000000005434768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\MRUListExBinary Data 13241300x80000000000000005434766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\NodeSlotDWORD (0x0000002f) 13241300x80000000000000005434765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\MRUListExBinary Data 12241200x80000000000000005434763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 13241300x80000000000000005434762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5Binary Data 12241200x80000000000000005434761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:42.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:42.178{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x80000000000000001535936Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.977{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138416C29647775157E03696C0C895C3,SHA256=BD6BA4058DF169A673D96BA5B98EAD63D004EFA7D556FD656046BDCC6307655B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535935Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.909{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD92-6138-46CE-00000000F101}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535934Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.909{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535933Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.909{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535932Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.909{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535931Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.909{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535930Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.909{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD92-6138-46CE-00000000F101}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535929Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.909{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD92-6138-46CE-00000000F101}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535928Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:42.894{AEE49BD1-FD92-6138-46CE-00000000F101}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005434891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:43.961{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005434890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:43.961{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE315471E2EDA7E903EC339F705DF3E,SHA256=DA6CBB4807FACCC5C370B05C9AFA21BC12BEFADB0333237EAAC514495119CD79falsetrue 11241100x80000000000000005434889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:43.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005434888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:43.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1FB7F3E4B1790A10555AF9FF252410,SHA256=DD2D7A194D60BC293EED44D31FAEBD5E9148685223390B17C58BD7C554DD1B1Ffalsetrue 23542300x80000000000000001535937Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:43.895{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=049EC4B7D1BE8B2BB77919DA41370297,SHA256=3C8EFB3E2208742AE5447C7AF96220ED65305B81EA31940CC53D5C71C7A4A69E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:44.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:44.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630F95674C1903B9430AFFFAD73ECFB0,SHA256=92D469CA4CD6D16CA29EAE8C4618BD24A320A95E291F608A25639C6F0DEB1EF5falsetrue 11241100x80000000000000005435056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:44.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:44.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9500FE202029DECCF7E091ADF6BBCC39,SHA256=7C22D694C1F47D4C796CBE9E105F6F06E8C46A002925157ABDF67BF652FE8E88falsetrue 13241300x80000000000000005435054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.555{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001104E0\VirtualDesktopBinary Data 12241200x80000000000000005435053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.555{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001104E0 13241300x80000000000000005435052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.539{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005435051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.539{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005435050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005435049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005435048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005435047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000005435046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005435045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005435044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005435043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005435042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005435041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005435040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005435039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005435038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005435037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005435036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005435035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005435034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005435033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005435032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005435031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005435030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005435029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005435028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005435027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005435026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005435025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005435024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005435023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005435022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005435021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005435020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005435019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005435018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005435017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005435016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\48\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005435015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.523{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\48\Shell\SniffedFolderTypeDocuments 13241300x80000000000000005435014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.508{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005435013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.508{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005435012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.508{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000005435011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005435010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005435009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000005435008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000005435007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005435006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005435005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000005435004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.492{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000005435003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\48\Shell\SniffedFolderTypeGeneric 12241200x80000000000000005435002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005435001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005435000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005434995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005434986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005434980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000005434971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000005434970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005434969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000005434968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000005434967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000005434966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000005434965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000005434963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000005434962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000005434961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000005434960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000005434959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\47\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000005434958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.476{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005434944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 12241200x80000000000000005434938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.461{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000005434930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\48\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000005434929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\48\Shell 12241200x80000000000000005434928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\48 12241200x80000000000000005434927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000005434926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0\MRUListExBinary Data 13241300x80000000000000005434925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0\NodeSlotDWORD (0x00000030) 13241300x80000000000000005434924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000005434923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\MRUListExBinary Data 12241200x80000000000000005434922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0 13241300x80000000000000005434921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5\0Binary Data 12241200x80000000000000005434920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x80000000000000005434916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000005434915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000005434899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0\5 12241200x80000000000000005434898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6\0 12241200x80000000000000005434897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 12241200x80000000000000005434896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x80000000000000005434895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000005434894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000005434893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000005434892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:44.273{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x80000000000000001535938Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:44.041{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F359F92BC39A683BDFE0C8E2D0220C,SHA256=25C780FCD25A2A3976C161A7AD81452E56428D6C32E99FBB9B3660B057B9A31C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005435059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:30.812{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63418-false10.0.1.12-8000- 23542300x80000000000000001535939Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:45.044{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CC883C8B22547A789D55CE7682FBCC,SHA256=64C7E70E2E0162B19D5CFA3B38031AAFAED6B1CC517DB0315A2F5643E7512D8E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:46.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:46.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A56236187DC9687A52EB99735FC9B06,SHA256=DE470E21CCF7937BBBBB418B2F1F1BAF964674A7E63100F055F4BF917B13F13Cfalsetrue 11241100x80000000000000005435061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:46.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:46.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D3DD29ACC49A7D8A888CC2AE54BD4F,SHA256=0A60BCC6FDEC7F6D6DAFE0803F5A7DF70D1768B101BA6AD04C095B81A038B7C5falsetrue 23542300x80000000000000001535941Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:46.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AAADA6682BF4801DAFE654EAE86E0AA,SHA256=3D06E48A7F5AE3EB9039A2420171ECFD6DB2BAC3FB6799D60731588EAE335A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535940Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:46.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3C114BAABC4CB9BF33F05BD326C520,SHA256=3062A8DC8949267A40E8F68E7B8215E4784417CF44C73116CF432277F3C6A288,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:47.677{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005435066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:47.677{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005435065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:47.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:47.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E29A74B58973F008F9E204B5FA5BFB,SHA256=F5E026FEE4DA89C5A9998768EEB3FDFE5F3B398B815E9F6CB753DD844E54684Afalsetrue 354300x80000000000000001535943Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:39.870{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60660-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535942Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:47.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB42BD65417BDABA6214F12F9949BF27,SHA256=DEFA50F5CBCC4FFFF91BFB6FB37036766BA10636E9DAB433FB880A0BEB950808,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:48.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:48.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222A5B6B7069C17C10A48561E433A242,SHA256=D5F14B8772175BB7453B29BC441333FFA37E7020A599AE62EDB446B26361B564falsetrue 11241100x80000000000000005435069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:48.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:48.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9796C5DF26B11403B8E8A9B49E7189E7,SHA256=898A6FADC2554C71BBF40646E4695D492096A6241796D0BFCFEEBBB3C3A1756Bfalsetrue 23542300x80000000000000001535944Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:48.069{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A83ED883FA6470E383C89F0F31E4270,SHA256=88C61D0909835EEA69612F98CF525DA43379D8258B73E200055D956CFD05AF53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005435074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:35.310{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63419-false10.0.1.12-8089- 11241100x80000000000000005435073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:49.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:49.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1C721BEC695D026718A79FFEF5EBE3E,SHA256=A815810127EB0124CAA7563FB8C13A59872061505613BBD21156BE67AC265B35falsetrue 23542300x80000000000000001535945Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:49.092{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C0EEA7BC6994C57452F4E2D6DBE1DB,SHA256=7F6FDBEA401C1817FA30F2803B3011CBA2DB9E46F2067C061243D547560E4CA0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005435083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:50.692{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 12241200x80000000000000005435082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:50.692{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 12241200x80000000000000005435081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:50.692{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths 12241200x80000000000000005435080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:50.692{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 11241100x80000000000000005435079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:50.677{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:50.677{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20FA2D9A995E0F42D895C98EE31C9CE1,SHA256=228F035BF802796C931C2313C8E630D4D16D4436875D93DA00491FFB49578CA9falsetrue 354300x80000000000000005435077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:36.747{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63420-false10.0.1.12-8000- 11241100x80000000000000005435076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:50.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:50.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60994BDA37B38F0446B35A27F589949F,SHA256=37D0ED7213798600FAC183144191186D53923D1F66A3F6B7DEFDD2A745B11064falsetrue 23542300x80000000000000001535946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:50.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1041D68D976F570ECC5C0C0E0ADE793C,SHA256=09EF6ADA8884B262560CCC772E20C8F486A65B54AD0F016490EBB5788AD5BA2A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:51.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:51.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C09C839225544B0B346BF64C70B519A,SHA256=C7DE76AEE3C4F27087FA84DD71F62769C31CF54EF32216C2E61FB51AB5CBAF49falsetrue 11241100x80000000000000005435085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:51.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:51.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A373802825A14E90D1A69A1ECF31CE,SHA256=2261830637DCBC1BCA0F5A6471E775330AF846912F868E0788C4FD9BA1152516falsetrue 23542300x80000000000000001535947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:51.096{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE267A8D77428B50E0FC49C5A3F0CFE,SHA256=98606340E2C04CE9C6FA5D6BA36B9375D4804BFDE2C3E076DC0F8D6719209C29,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005435105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:52.974{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005435104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005435103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x80000000000000005435102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}965400C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005435100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005435099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005435098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.958{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005435094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA529512C813EA5FA3474E5A282062FF,SHA256=643B42D2015BC60A49A4A289D5C3D41E2669AA911ECBDDC149DBDF4239597B7Efalsetrue 24542400x80000000000000005435092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.161{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=A6B09245E636DE1B7A1283C91DD5B290,SHA256=022CD6EDA9988093AB822FF43A305B215249904D8FD1DB4B4B14BD6DE119BEABtrue 10341000x80000000000000005435091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.161{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.145{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005435089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.145{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-A6B09245E636DE1B7A1283C91DD5B290022CD6EDA9988093AB822FF43A305B215249904D8FD1DB4B4B14BD6DE119BEAB2021-09-08 18:14:52.145 10341000x80000000000000005435088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:52.145{4DF467A6-3F58-6132-2B00-00000000F001}29486384C:\Windows\sysmon64.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001535951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:45.768{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60661-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:52.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE9EE81AA1BBDEFC5D86DB92061EA876,SHA256=C172AD4B0E3910A4EE30CDB1E1F1279DF394B09CD7AB6741905C4EBA1C926E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:52.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CB64CEE8874375F961514BEC1A39AB5,SHA256=C789C358CD4AE4C1840FD990ED7177133A1F84964A5C2AEF618BBE6FF1C395E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:52.098{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17416CC80ACDCAC9283C50CE4052B34A,SHA256=2B0569ADB866FE493655903BA92E52FE13594CA07AE8E1F6E073DB814C3D46D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:53.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:53.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAB35DCEB6A21AAEEF31BAD183AC150,SHA256=16778BF1050179FB7ECBE80A02122C550F0DC27645781EAB04AD60FB7AA495A2falsetrue 23542300x80000000000000001535952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:53.100{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5621199F02F5E3FF3A99CB656C47F8,SHA256=ECF7108C4118414C8F74E3D2944403298F33C3FA88ADB6C1EED680533CC81970,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:54.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:54.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40622E88EB70758E0C7C1D46C45C17FA,SHA256=6845E623D837FB6426989094AB5D93D81FA8A4E0193D83E0BC79860A758A97DDfalsetrue 11241100x80000000000000005435111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:54.395{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:54.395{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=738B97C3C6802C7426AFADAB5D63F248,SHA256=CA6F063F7B8EF36F2F07F51B23DBF3A4535F3CDB33CF0B236F4C1324DF9A7F91falsetrue 11241100x80000000000000005435109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:54.395{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:54.395{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=45EBEDD5E80F5140A747D2F102F96B92,SHA256=2781ED2E491EF2CF3EE6414C8507F3A4786236539D1C45DB7DAA8A749D14A167falsetrue 23542300x80000000000000001535953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:54.119{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A85DF6FC83C4D33960AA55D3CEE412,SHA256=3E58AC06A861D3C19C476F1A9C37CD62F1D068367C7D32F7510E031F7666C16B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005435117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:55.974{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005435116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:14:55.974{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 11241100x80000000000000005435115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:55.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:55.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8EFD586FEFD74D3B932660FAD65EE0,SHA256=28681736AC21228293E813267265DA124FBD94D0F399BCCA204823F91905D345falsetrue 23542300x80000000000000001535954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:55.138{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5B89FA7AA9B8C3B75326921E37AF59,SHA256=97EE9DCB1FB44BA2FD14BF5459E7DD33CBBF21CBEC3CCB571E5E83A62FDFEC59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.911{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.911{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656D45F94A0367C81F1EE33C8A19E896,SHA256=A464AB3AC3320169497BE9BDCCE4BAEC73EA44D135867D70A09A9F4BF24E951Ffalsetrue 11241100x80000000000000005435129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A5FC84DE0AA4C91F9EB0915CFF4B0F44,SHA256=003DCFEB4F76364F910808AD04DF9C1A17024BA2CC9E521652DDA81725788A1Afalsetrue 11241100x80000000000000005435127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C7AE0985E536092059BB34BA959F2153,SHA256=16B416A4ED3ACF670C8766786DCFCDCE4C37CCCC354E0A4CDBA3683A46F2C2C3falsetrue 734700x80000000000000005435125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.567{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dynamic\5e23681af10806a89347285a723c3227\System.Dynamic.ni.dll4.8.3761.0System.Dynamic.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Dynamic.dllMD5=D2425DF3A5A560E7B642C45716FAFC35,SHA256=ABAF8AEC09F26EE6AB28B7918C87A6A88EC887342F3C3D986EA43CD9D163E825false-Unavailable 12241200x80000000000000005435124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:56.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005435123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:56.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 354300x80000000000000005435122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:42.700{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63421-false10.0.1.12-8000- 11241100x80000000000000005435121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6A419E79F8D0CE1C430600309491C60,SHA256=07B2960967DB920F4B6BBFFB544A7A19216326890E55587D81218938F813BA17falsetrue 11241100x80000000000000005435119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:56.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B27C686830784B31C9C9E39816BAB136,SHA256=629CDEBCE215082E1FE9D00399613656B6FC67E63CEE4DC25A7F53E87DE07846falsetrue 23542300x80000000000000001535955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:56.141{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3D375B4CAEC62BDF8A7A92C2B107D9,SHA256=769A45B5C2A048A48F2E911C138B679C9C41CF2B470992E7D0C185DF703A6157,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:57.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:57.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAD65950EFF453EBFC6AAB117C1EF66,SHA256=6581729A3DED86C1BA6F62F39E1A4515B037F96C33575BEDA742AF7CBD731930falsetrue 11241100x80000000000000005435133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:57.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:57.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6F96ACC370AB915AD371C8EAF6E8AC1C,SHA256=276E1F21EF64A73C465FA09D3C33DFB2F8FC1CE21113569A1FC3E126FAE72814falsetrue 23542300x80000000000000001535956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:57.144{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8824EBF33C7610AAFF3FACE502143B1,SHA256=20487DAB8DD515083764880783B078E67C580B8FEAAE7E9555F43F524AF7B8C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:58.958{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:58.958{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB697A63683D0391C85C369C1E089F3,SHA256=6DA68DCF71BA9728658F0BA252A574F352D0E6A6A58CCB6D13C2000107B3E7FCfalsetrue 354300x80000000000000001535960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:51.750{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60662-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:58.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10FD81D70611DF0BF9DD755C2A37D50,SHA256=D002C2F101C6AAAFA180EDFF627A26C1D2BB06F7F0476031BBF4AE3D87DF1938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:58.096{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30A89A2EC5C9EB868F8B6B83DD571497,SHA256=B9B16E72CF173EA3DA9E6BC2E7A040DC89F4A91B5609BCDAFC96B8528264EF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:58.096{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE9EE81AA1BBDEFC5D86DB92061EA876,SHA256=C172AD4B0E3910A4EE30CDB1E1F1279DF394B09CD7AB6741905C4EBA1C926E6D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:59.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:59.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47474E87CDC73F380CCB8ADE8ED642E,SHA256=39F80C8FD436864509286CDF8540936D64C29D6F1C264B7AB7A5C3D2C884AC74falsetrue 23542300x80000000000000001535961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:59.180{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA22F3CD70878562E153A034B9001C22,SHA256=902F85C5D26C62A26995F1DB0233E97D9FA056B16D5B6E196BC7A98E61CB124E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:00.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36095B233BBE1C407980C81D125EC6CD,SHA256=2BE0AC51DB191C73D65A38FB9241D3A7A09869BD00419C0A2B986BB16F78E267,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:00.677{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:00.677{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D96F956EC5571147835193F28B02B8FA,SHA256=F2F5FD116D738CF2F9AB1FBB0B10A77D22FEAC5487F375BE4D728E1406FA1DF1falsetrue 23542300x80000000000000001535963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:01.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B44AC5D66AD8134794171813DD693C8,SHA256=82F124F8EEFAE4CFBA4F1463F1EA180753EC07A0FD9895B8019E9D52FBCCA6AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B465CF9C6A9307E906E017C338807CDB,SHA256=B375C3249411CB1389D4DD81251CC0877D1254EAA28DB14901362CDF70921CFDfalsetrue 11241100x80000000000000005435150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=21FEB399E6EF984856AE898C0DD78EF4,SHA256=468C0917E2A770EE6D9983E4871183D528B2F6FFA68A31F05689C2D68CF03D5Cfalsetrue 354300x80000000000000005435148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:47.778{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63422-false10.0.1.12-8000- 11241100x80000000000000005435147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C59DFD8E02E2A6D6EA60A893433DF5D0,SHA256=F077D98574E85C40858406B883A36EBD022FF4D3C3EA08CB4FCC0D100C24A484falsetrue 11241100x80000000000000005435145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6A419E79F8D0CE1C430600309491C60,SHA256=07B2960967DB920F4B6BBFFB544A7A19216326890E55587D81218938F813BA17falsetrue 11241100x80000000000000005435143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:01.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772DEC0843991DF2AA7C25E02A23457F,SHA256=AD3B9FAFE05FC7DD9C4EE19D43BD2945A7EEB61A0F4049FDE840B22C3F3B647Bfalsetrue 23542300x80000000000000001535964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:02.226{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2423A24B2DF3A493E85DEEE4F4F60B,SHA256=D08829DF421DD9EE0D711A545ECDFDC6A52E128765C5AE337EC822117C5BEBD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.974{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.974{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C59DFD8E02E2A6D6EA60A893433DF5D0,SHA256=F077D98574E85C40858406B883A36EBD022FF4D3C3EA08CB4FCC0D100C24A484falsetrue 11241100x80000000000000005435158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AFA6B20F71B3417E993455FE9FAF620,SHA256=04588EC503721BA0869D54DBE6A3A67E2E53DC645CF671ED5D8FFFA61B4F6783falsetrue 11241100x80000000000000005435156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3710D0A7CF222C2F8F1593773AC6B2C6,SHA256=461713F0D279B403859FEB63E84DB6531382B77AA00C2C9A58BE705CF7620042falsetrue 11241100x80000000000000005435154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.052{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:02.052{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A24B092E07B93302239F8FC550B2BD2,SHA256=B60FB9FECFC0B5279FAFB8187C71BC1C23DC61E9B1FCDB69219CBF4BFBC160E6falsetrue 354300x80000000000000001535968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:56.882{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60663-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:03.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF04875E3E011FDB74DABDEE43C1C9DE,SHA256=5EF24E469F82A543FDE83716AEE557D5D1A751EB484ED2A129BA20B3B4C23038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:03.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30A89A2EC5C9EB868F8B6B83DD571497,SHA256=B9B16E72CF173EA3DA9E6BC2E7A040DC89F4A91B5609BCDAFC96B8528264EF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:03.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2B9DE447416AF5BAD33C7B422BD501,SHA256=8E1864DE6D848615CB1B5A9B45E6A5CE4A8697C455010287C7385B1C3B3EDF6F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:03.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:03.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3B80D5648778E41C1C40A15191D5B6,SHA256=7DD7144719F6B9AA2C2B557DB0588CD1B5BC2044AC1177EC4AE98776B81D3377falsetrue 11241100x80000000000000005435164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:04.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:04.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FC39789CC42850EAA90043D32BA2EE,SHA256=9F28DD52827087F14BAF8D9518558D1E4583F00D15AEB4BF3F04EC900AE3FEAFfalsetrue 23542300x80000000000000001535969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:04.230{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF415112A322146EF6362088519DF289,SHA256=CE11D3572F577047E58E7C6B846E3BE53F546B259D5E77356B6D440F403BB653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005435169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.833{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.833{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.833{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005435166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4537EB48843B1FE5201E6D4815FDC4D3,SHA256=5FE80FAC8DD1B4C34C29AEB6F2EC9575E289BA94B4E5868E07B01B5F6D49D7D0falsetrue 23542300x80000000000000001535971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:05.796{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E2A92F8337A4731A2FBB2832E9BABBFF,SHA256=3479CE56D23078810E9EBF053A4E9716D2E3EFAC36E7FF171CC94B90CE5AFFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:05.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6BDC8680441D65ACBB6EFA2EE08B92,SHA256=C067D63020C364370F982E357CF8BE989E4669F1E8789A2A974224226BA32FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:06.250{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8E192141EB1B63E5D115E00F4402BF,SHA256=C83A7E227DE8C1CA7B9CABEA903380A0C2BF56CCEB25225AACB9F2E6FC3304EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:06.911{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:06.911{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CE336AECAFA1AA2CEC44870BC92516E4,SHA256=A7CA52CEC7D2805FC957A2682714EA6308E880D17B7A8682801D1658584AF81Ffalsetrue 11241100x80000000000000005435171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:06.208{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:06.208{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C23221400B58AC51D9E8000B888C798,SHA256=A5D829FD5C3BFBA59B0BC44CCD78C6ED570DB7284F355094D78F7DF3304FD5B4falsetrue 23542300x80000000000000001535973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:07.253{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9128809698AA6253132DF0E95A56780,SHA256=43E7E65ECB9972F9220875C014C9662661AA2BD559A87112FD360AB4DF929ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005435182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:53.793{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63423-false10.0.1.12-8000- 11241100x80000000000000005435181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=837F26CE22680F0F5EAA8D6F537C00BA,SHA256=EA66711F73241372EEBDB6CCBBCA77260347C2CCEE469224603383B82ABCA4D7falsetrue 11241100x80000000000000005435179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ABE8FD1503C963713996CD212B167AA,SHA256=A9DBE5E95004B575D8362880C24608758DF81B7ACC927D4BC4B567EA55AB2A52falsetrue 11241100x80000000000000005435177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95083313C261D54CFE5D9D2404991E42,SHA256=2065EA4CCF4D09C59B9958B785F67BF711F1B14283DA9B9BACBDB9AFD1ADC5E8falsetrue 11241100x80000000000000005435175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:07.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E1507AA983D0E1EC246B72063598A39,SHA256=60CE4980AA6E28688409BE53DB643622F1C980BE5C287916EFF848933556C262falsetrue 23542300x80000000000000001535974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:08.255{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13CA10965991FFABA4DC666205B149F,SHA256=700727CB5F154BCBB4104A241C109C3C70973B808BDCD2C7FA63E46D0291FD39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:08.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:08.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8F013B5217977DBDDAE06D90E0417F,SHA256=8D6A21757E9BE70D602D8331235EAE7741D41187649A0DD90AD5FB6F390B62BCfalsetrue 23542300x80000000000000001535977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:09.258{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1772B406463FBFB073A48773AAEC275,SHA256=B6DFDA0ABE1B00317B227BFC97A90BC131D89CCEF73C85832DE6534252D75C44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:09.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:09.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B6B81B5E56CA7C929036CE46EF01BB,SHA256=0F74F356C150275FBC3814C229FF19F4ED7B5C50A622BCF5C9CFD24C5A227F1Afalsetrue 23542300x80000000000000001535976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:09.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07AAC07EACAB5FE2037066D1FAF2BD7D,SHA256=935F22476B1F1F875FA6217CCE3451B001D2353E628B7891C7DDD2CD1BC2EA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:09.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF04875E3E011FDB74DABDEE43C1C9DE,SHA256=5EF24E469F82A543FDE83716AEE557D5D1A751EB484ED2A129BA20B3B4C23038,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:02.858{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60664-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:10.330{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B445E2DA6A86CF946965DA0EFC3CFB,SHA256=1841445915EC364274DC17912850765A8BDA249D2C13BC014638E18BAE2C2A2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:10.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:10.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF768EF2D9E41ED623783FBAF57BC287,SHA256=05306B96EF020ED164921878E9681708DC23D8C62D6B66FAD103CE3047B042DCfalsetrue 12241200x80000000000000005435188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:10.244{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005435187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:10.244{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001535980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:11.379{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B567164CB235F977F7A81E99ECA75318,SHA256=10E2B5BF0DB7A85F0BB34A24F4535A21F530B9C0FEEBC9F1158E172796348D2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B248147C61B35AC6CB45743E46E35F7,SHA256=F1ED39F406BFCC0A4B68074123203DF0C2E1E20ACE694AED96BB9871A82E70C1falsetrue 354300x80000000000000005435198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:57.892{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63424-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005435197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:57.892{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63424-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005435196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5AF32DEC6141151D292EB0D0751A00,SHA256=47063FFEB1FC0E4E46FFBFA406239640CB834E21BF66C401D2E56DF4B3C7A630falsetrue 11241100x80000000000000005435194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54CBB39BFBA5BE159FB8490A98052033,SHA256=1F5CFFAF219445A39AE6A02401E7C6E86DDD07CFEFB530E84ACED9DC82878585falsetrue 11241100x80000000000000005435192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:11.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=297FA3A75F466374ED9CE5529E98DA86,SHA256=1E45296195EE8D6B64859BB56222D43EF39143298DECF92954061564549DF684falsetrue 23542300x80000000000000001535981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:12.382{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111725514688699ABECA77F6B06D7D92,SHA256=E2042B99D0BE97E649D87D2ACCA39592CC8128B5AD52F3051C1CDF558413B9E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:12.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:12.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07929D284C31AACFA7F8AB009F69F18C,SHA256=18DFED99D889E78EF1982AAD8621BD74AE0FF2E4D86519A60A0FE03D03A8EB2Efalsetrue 11241100x80000000000000005435204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:12.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:12.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D31A0253ECA24A523DB6671E96B529,SHA256=0EEE51ADD30BEA36D341B04E08D4F332A87C3BB152DE38F17ADBFCB876682161falsetrue 11241100x80000000000000005435202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:12.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:12.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8B963B2B8E53DDDF46EF1470F750AF77,SHA256=5187E5F26542C0367DC8C49237308EB3DAFADF9577E556E71A9A7F9A09EC0FD0falsetrue 354300x80000000000000005435211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:59.704{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63425-false10.0.1.12-8000- 11241100x80000000000000005435210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:13.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:13.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1986C0BFD8D870B0A59E1CD92E4372C9,SHA256=8E7A310B815A7186364DAF6692864E81FCB21CDA79E2987FA50B2E775BEBEB0Cfalsetrue 23542300x80000000000000001535983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:13.385{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246A6430D038196263A696EB2690CF09,SHA256=6AB8E8AC467CF7CA30C4F1DE053732A273296E8600BD8FAE195EDAF32723193A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:13.069{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:13.072{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:13.072{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5ADEB7B586B30EB7A7FC6855E4ECF57,SHA256=1BE644590938F347CA183F1406A15B9CD2438DDD794C00D7A2D452B824FC497Dfalsetrue 23542300x80000000000000001535985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:14.402{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D0137C283DA2355463977688B3C27F,SHA256=161F06B4084E0277220EA3B127C9B4F8C7D7B381B416577271F12C554DB1868C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:14.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:14.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F01A29A9D2BB14E5A45A3854715872F5,SHA256=856F02CA865E0DD55A0959CD0B97691FDE37B2C43EB28E44D3C5B32EFA7A3E1Efalsetrue 11241100x80000000000000005435213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:14.447{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:14.447{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888361DAA6927DBE922136170D04F196,SHA256=B1DA27E29362E1C442ABF27C24DCF5BC3634FE6A90B206E0D46BAD279205263Dfalsetrue 23542300x80000000000000001535984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:14.086{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07AAC07EACAB5FE2037066D1FAF2BD7D,SHA256=935F22476B1F1F875FA6217CCE3451B001D2353E628B7891C7DDD2CD1BC2EA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:15.405{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D87CD7C718FD16A31F6DD29C485B7B8,SHA256=F40C9F3B14BE9F4622963A150EBF8EA505C16CCA3EE9AD9A579D0E1410A52E2A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:15.478{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:15.478{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86ABF10D89B0229226AA47624063E259,SHA256=DA30CC3C398C11CEF4D31547DDC20C45546FC820619260D10DAEF15DF5FC025Bfalsetrue 354300x80000000000000001535986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:07.725{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60665-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:16.408{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38295EAF5331F8F99CC1EF9B6D1407A7,SHA256=B4AF4D348F613C20906A4E5077134FDF0171F120D3D1DD95AE0417ADBD8AF34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005435222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:16.668{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7182MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005435221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:16.667{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71822021-09-08 18:15:16.667 11241100x80000000000000005435220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:16.666{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71832021-09-08 18:15:16.666 11241100x80000000000000005435219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:16.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:16.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1BA700D1080F9A86A070A820243AA6,SHA256=E59E8B6CDB96CF29E8E6D3876031F18BC706D2991958BDB908985F1EBD219610falsetrue 354300x80000000000000001535988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:08.692{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60666-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001536007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.825{AEE49BD1-FDB5-6138-48CE-00000000F101}4196592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.710{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDB5-6138-48CE-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.710{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.710{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.710{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.710{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.710{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FDB5-6138-48CE-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.710{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDB5-6138-48CE-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.695{AEE49BD1-FDB5-6138-48CE-00000000F101}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.410{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6D67A99205C01D9EE961323550CB9,SHA256=764347A60813B90638C160680641B8762AF9F6BBD5D9288431749AD2CEF7DD75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.882{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.882{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA543EB386BD11481E1F406F87D70560,SHA256=1AE07786280EF7C0A6E49C9AFE31BD8840A3FCE0FA761FB4FABB4DF30A0A9673falsetrue 23542300x80000000000000005435229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.681{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7183MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005435228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216B72A3137D7E521CDCA8252DC06943,SHA256=D922F076B54F5F2542DE7DDE06EE02EB4D41DC64D02973D830F380C557C4BD69falsetrue 10341000x80000000000000001535997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.009{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDB4-6138-47CE-00000000F101}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.009{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.009{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.009{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.009{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.009{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FDB4-6138-47CE-00000000F101}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:17.009{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDB4-6138-47CE-00000000F101}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:16.994{AEE49BD1-FDB4-6138-47CE-00000000F101}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005435226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA6C328C9B99124FFF4D27596225D89A,SHA256=492F5B31DF2AA23F35AAE92D29CF18FCDB0414D653CA5BFF5353B3794238A44Ffalsetrue 11241100x80000000000000005435224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.072{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:17.072{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6E278CA8F0FBC7D26460D2DB4042DA5,SHA256=E9938ECEDEAA170191354EC653B7812AA35BA5068FEF27B8EEC1B0FE1A2348F5falsetrue 23542300x80000000000000001536017Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.411{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53F8EB58E580BCC3BCF33B6B35300AD,SHA256=26938381768AAE3084540513F6076F46CB9A56018C4A09EED44C9A00A87B2E1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.541{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.541{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC234A81DCD581D0AF385D0133F277F,SHA256=8058F60C0F9D9E8BB093436A63885FE9E7A081BC0EE9BB4354E7F0F32C02EDF5falsetrue 10341000x80000000000000001536016Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.395{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDB6-6138-49CE-00000000F101}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536015Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.395{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536014Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.395{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.395{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.395{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.395{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FDB6-6138-49CE-00000000F101}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.395{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDB6-6138-49CE-00000000F101}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.380{AEE49BD1-FDB6-6138-49CE-00000000F101}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:18.010{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237027297F3D87C479F4CB5DFF6E82D9,SHA256=45A38539FFDA498757F78E04CD5F8E4659CD575CB35155F1456903FAE7B0A983,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DA4C49F354830300EA6F6B75AA91F8D,SHA256=94870D4C1876901DB80F84C3ADC4C7B4C0E7BAC8B28C4924DDE61B2CF4637739falsetrue 11241100x80000000000000005435245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4987F71AA8CEB34F01570B8099D2CD7D,SHA256=AF684B4987B757F692C8BCDD8A82CB628681E6E1CC6B036116CBA46B6DF7D6A4falsetrue 12241200x80000000000000005435243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:18.085{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005435242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:18.085{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005435241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000005435240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000005435239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000005435238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-08 18:15:18.069 12241200x80000000000000005435237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000005435236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000005435235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000005435234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000005435233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:18.069{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-08 18:15:18.069 12241200x80000000000000005435232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:18.069{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001536019Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:19.413{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB80F2826AD391C4C881AAF9027F7FFC,SHA256=0FDC59B2F9117FA3370DB199426301B2C6BEF183D393A051E1FBCA1C5DD38BB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:19.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:19.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA183E94B3E3415671ED09BD1E01F30,SHA256=49A0444E528E9B0C0289717D75E53869863DCA5558109C29349A88F97E77B5C3falsetrue 23542300x80000000000000001536018Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:19.382{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FC786A30DE6FCA8E998A40B08D9CCB4,SHA256=E2C5F7ADB5B5937F1D673456325263242193E1C5ADDA29EADC774E60DF04837F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005435255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.730{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63428-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005435254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.730{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63428-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005435253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.718{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63427-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005435252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.718{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63427-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 12241200x80000000000000005435251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:19.088{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x80000000000000005435250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:04.829{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63426-false10.0.1.12-8000- 11241100x80000000000000005435263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:20.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:20.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9188F6B1859398FC7AD7EA701CE7373,SHA256=4FB44B26A2F63EC2CD78C10D603C0C989EC8854D0F7D3FC5842403AEC821333Afalsetrue 23542300x80000000000000001536020Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:20.416{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780330275B685D74D56E96A5441070D6,SHA256=E366063134591B2073C6C3EA053B70DC2C7CAF97A3C654738547D5A108DE7FAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:20.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:20.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DA4C49F354830300EA6F6B75AA91F8D,SHA256=94870D4C1876901DB80F84C3ADC4C7B4C0E7BAC8B28C4924DDE61B2CF4637739falsetrue 354300x80000000000000005435259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.735{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63429-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005435258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:05.735{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63429-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 18141800x80000000000000005435329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.994{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:21.994{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.994{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:21.994{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.994{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:21.994{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005435323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.994{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.994{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63C80B7A9B53F22300DF72D9687B201B,SHA256=5F31AB3406672ADC91C5CC65B1B99BC0B9D2FC45678567A12EA61E7B7F01B8BDfalsetrue 11241100x80000000000000005435321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB041927B8E8700F77C2F84312AE4D41,SHA256=CEE9DDC85C82623DC2FDACFABA36F8F8AC4340E5D7443AE694E0DE3BC53FC0A1falsetrue 23542300x80000000000000001536022Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:21.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714729F662C3A34BD2CA1E31DD250A67,SHA256=D18B7C9D7228F5F734435980EBB0C126AF6B4DF513CCBE9E76EF3B9248DB7702,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005435319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.588{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005435318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.588{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005435317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.588{4DF467A6-FDB9-6138-46D4-00000000F001}73884488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.588{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005435315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.588{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005435314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.478{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005435313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.478{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005435312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.478{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005435311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.478{4DF467A6-FDB9-6138-46D4-00000000F001}7388\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005435310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.478{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005435309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005435308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005435304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005435303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005435302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005435301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.463{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.447{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.447{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005435298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.447{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005435297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.447{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005435296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005435295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005435294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005435293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005435292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005435291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005435290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005435289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005435285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005435283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.431{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005435281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005435277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005435272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.416{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.291{4DF467A6-FDB9-6138-46D4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005435269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.291{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:21.291{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.291{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:21.291{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:21.291{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:21.291{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001536021Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:13.903{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60667-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005435449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AA269D5A460E697CC8DD8027B5F004,SHA256=A73D241F3AB32E527C3B9BDE81D8015986FA6933FC4F93DDF7F170828366264Afalsetrue 534500x80000000000000005435447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.931{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005435446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.931{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005435445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.931{4DF467A6-FDBA-6138-48D4-00000000F001}49046948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.931{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005435443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.931{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001536027Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:22.475{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536026Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:22.475{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536025Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:22.475{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536024Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:22.455{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81A2D2F9E0643DEB92330DE65BD7954,SHA256=8E6A43942069000C900F4C8C4D1D4FB63916E6A056F56B426F214B5D2F592C1E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F36168E8BF7FB8F536542952BB1B8DCA,SHA256=84FB50718405CD1C34EB512E89528B67A5F07D37FA0F70181831B9CCFF0149FFfalsetrue 11241100x80000000000000005435440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663C21BDCC50CDA7CBBFA5AAE5F4B0FA,SHA256=54A314FD39E5702B6922961384CF33D87E06760DC2407C484BE730DA766CCCA0falsetrue 734700x80000000000000005435438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.822{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005435437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.822{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005435436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005435435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005435434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005435433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005435432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005435428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005435427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005435426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005435425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005435422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005435420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005435419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005435417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005435414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005435413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005435412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005435410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005435409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005435408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005435404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005435403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005435402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005435401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005435396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.806{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.791{4DF467A6-FDBA-6138-48D4-00000000F001}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005435393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:22.791{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:22.791{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:22.791{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:22.791{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:22.791{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:22.791{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005435387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D6416B3E579C56C0A429C2E0404BD96,SHA256=C24933B641C490E67AF07F3CBE666059CEF61F3F4EBA16DC0A130E95C9139F72falsetrue 534500x80000000000000005435385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.259{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005435384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.259{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005435383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.259{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005435382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.259{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005435381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005435380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005435379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005435378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005435377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005435376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005435375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.150{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000005435371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B40F91E0B3A641CD5B8A8831C819425D,SHA256=AF280900651299E1A7BF82451C9E449901925809E0AB7F3821C2C5C071D646D5falsetrue 734700x80000000000000005435369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005435368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005435367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005435366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005435365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005435362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005435361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005435360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005435359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005435357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005435356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005435355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005435353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005435352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005435349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005435348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005435347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005435346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005435345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005435343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005435342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005435341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005435340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005435337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.134{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.119{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.119{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.119{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005435332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.119{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:22.119{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.998{4DF467A6-FDB9-6138-47D4-00000000F001}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001536023Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:22.152{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-0C00-00000000F101}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536028Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:23.458{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C05AD428116FA4BDFB43255FBCD23B,SHA256=B646BC8C396B3F5CA47D3834D7A6123C45A2AEC3C2AE95EE3B309BB553D58DF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=280648AA3D64312A07578A0B52F6012C,SHA256=F76B4A478650B2F3539E697723BFC04262490203A14DECA3FDCE90310CC1C496falsetrue 534500x80000000000000005435505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.744{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005435504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.744{4DF467A6-FDBB-6138-49D4-00000000F001}48805580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.744{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005435502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.744{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005435501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005435500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005435499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005435498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005435497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005435496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005435495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005435491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005435490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005435489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005435488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005435487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005435486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005435485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005435484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005435483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005435482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005435481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005435480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005435479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005435478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005435475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005435474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.619{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005435473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005435467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005435463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005435458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.603{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:23.479{4DF467A6-FDBB-6138-49D4-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005435455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:23.478{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:23.478{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:23.478{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:23.478{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:23.478{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:23.478{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536029Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:24.462{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B037EF73958ECE23EEF5A1787C52F13F,SHA256=F0437552053560227A8E0CE3971BC526A7D59C0A71C1CF930423C6892A7536E4,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005435591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.541{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005435590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.541{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005435589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.541{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005435588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.525{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005435587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005435586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005435585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005435584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005435583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005435582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005435581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 12241200x80000000000000005435577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005435576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005435575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005435574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005435573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005435572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005435558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 12241200x80000000000000005435557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.416{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005435552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005435551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005435550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005435549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005435546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005435545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.416{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005435543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000005435541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.400{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005435540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005435539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 12241200x80000000000000005435536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:24.400{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005435535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005435534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005435533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005435531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005435530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005435528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005435525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005435524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005435523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005435518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.400{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.276{4DF467A6-FDBC-6138-4AD4-00000000F001}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005435515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:24.275{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:24.275{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:24.275{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:24.275{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:24.275{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:24.275{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005435509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:24.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CB4131BCEA12E1BF7454180531C8BA,SHA256=7B9A510FC49DDEFA3AA3228B89E7C566E9E201BCEFC998AF03C0780C8F789C9Cfalsetrue 23542300x80000000000000001536030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:25.466{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580A296517D40898C03827EE9D53663F,SHA256=9B65996B86916B4F72A9217AB6BC2DF180EF788678092F0E815D6417470D34AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.947{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\docusign.cpl2021-09-08 18:15:25.947 18141800x80000000000000005435660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.869{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:25.869{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.869{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:25.869{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.869{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:25.869{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005435654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.338{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005435653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.338{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005435652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.338{4DF467A6-FDBD-6138-4BD4-00000000F001}38921864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.338{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005435650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.338{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 18141800x80000000000000005435649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.306{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000005435648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD199BB7181BE3CF421022D4CE27C26,SHA256=F1AD2DF95325F0920FB15968D0710008995CCEF649A2A1EE2F06A6C0C61A4A00falsetrue 354300x80000000000000005435646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:09.861{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63430-false10.0.1.12-8000- 11241100x80000000000000005435645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86D06AC0CE813C7D9211EE2317336AD,SHA256=AC379B5A330ED71F3673016E23B07AB6AACE5022792F21C107814CB91427B94Dfalsetrue 734700x80000000000000005435643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005435642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005435641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005435640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005435639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005435638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005435637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005435633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005435632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005435631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005435630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005435627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005435626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005435625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005435622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005435620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005435618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005435617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.213{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005435616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005435615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005435613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005435612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005435610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005435607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005435606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005435605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005435600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.197{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.073{4DF467A6-FDBD-6138-4BD4-00000000F001}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005435597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.072{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:25.072{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.072{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:25.072{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005435593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:25.072{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005435592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:25.072{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:26.500{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8C45095CBCD93AF5D2A40E584F378B,SHA256=EAFA88F0F90F1C022C46B2495955461E4B8F640C81989F6CE0C3D5C49EA849FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAECEBB62DA72046F2EA8313D092BE0C,SHA256=14FDCBA00852AA880921ABB4F5304606D8FF19EE0398A74DCAE2FA9F5B74E252falsetrue 11241100x80000000000000005435717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7112C946ACDF3E3F91970CEB3C38466D,SHA256=4E985B3A14F5A9B8D1120EB1360A2D762129CF68AB96504E9BFE60FB28A8AB8Dfalsetrue 11241100x80000000000000005435715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005435714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718BD2CB71B90250AF158ABE03FE84AE,SHA256=0340109A8FACC20EF05DC56014011F60A827CDDA310F12250AEB42475A8604DCfalsetrue 23542300x80000000000000005435712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AA0108DEB1C3FE5C4D5524E2A16A3C8,SHA256=19965789A09DABA811B860F9C4BFC3B7C3388816590872702B73930BBEDF9607falsetrue 354300x80000000000000001536033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:19.668{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60668-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:26.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B664EC91951E95F347A3777D3576BB5,SHA256=250E7D38FAFAE6C4D87AD033DB7816FDD59C975231726A962E3C197A64D467CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:26.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B69FC5491D575961350D6626BEE087B8,SHA256=2E387358BE29D1F5D657F774F9DFC5391963ECF176FFBCD8F9B547011CB2F9E8,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005435711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.134{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005435710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.134{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005435709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.134{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005435708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.134{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005435707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005435706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005435705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005435704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005435703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005435702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005435701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005435698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005435696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005435695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005435694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005435693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005435692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005435691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005435690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005435689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005435688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005435686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005435684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005435682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005435681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005435680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005435679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005435678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:26.009{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005435673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005435669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005435664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.994{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:25.869{4DF467A6-FDBD-6138-4CD4-00000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:27.502{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A19B2827C084E64F4AAB13995644CA,SHA256=9AF5E092CFA33AF72D0B34AFD4BF4B8FDF2B1B99A1804937DE0F475149D6EA38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F262CC0C54FC348397457D6331C6103B,SHA256=9BBBC2EA4BB594507C5C75DA4DABFBAB853AE1B24763EEF2A7034E95D7F3ADDAfalsetrue 11241100x80000000000000005435725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.483{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.483{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C49AA8D95BDDE6B8127162CD2FEE518,SHA256=1CBA326C115E0412C78C6E2EFF685550BB73A3EBB965E574CD564203FC8E0B5Dfalsetrue 11241100x80000000000000005435723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=034FF6B1B222CD4292CCE76F95A354CE,SHA256=45BC35B19BEB538798412DBD3B02D2924DEB0A10CA77B1F4587501668853EF2Afalsetrue 11241100x80000000000000005435721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70353BE6EB01DD3BBDB66EC6DA485AA6,SHA256=3B30F9FEFC2CAB5C59E013C50EF27A218000FBEA1317F0C1AA18C6108B67482Ffalsetrue 23542300x80000000000000001536036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:28.504{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B677B8931CE9FBC28E190E3C9516B37,SHA256=0CFD9246C74BD2B11265399B873DF1B1631D8B546BE04DBE98E22E3EEF3E7B6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2D4DAEF5319F51C6FCDBD0019A7EB8C,SHA256=BFFE174081F33D076FC13C34FF32A9657FC9CE3DF8B4951CB9E00E87B7E7C276falsetrue 11241100x80000000000000005435842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997C9E8A0D0DFA2A2C74023E13F69613,SHA256=5175726EEE61AD370D863B8806BD75041CAE38A43284E197C9A5137561400DA1falsetrue 11241100x80000000000000005435840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1D260830EBAAA57EA39101CC8183DD68,SHA256=40C4473611C59F3BFA76A6982ED39B18277BC246BCB2AFC5A0A6C357A06E67C7falsetrue 11241100x80000000000000005435838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005435837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642F489B06B7E877E5465E34F547E18A,SHA256=BA5B9774DDB96E04F5BB343DE087E1CCAC960AC395777E0B02B1BF722A1080FAfalsetrue 23542300x80000000000000005435835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=430F900109D5CAADFA18D2B6BC6AC688,SHA256=A13E54E5267B5869558AB3ACBDADA52B2282C759800EF097C65F7BB7EE1F0C18falsetrue 534500x80000000000000005435834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.452{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exe 12241200x80000000000000005435833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005435832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 12241200x80000000000000005435831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005435830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005435829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005435828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005435827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005435809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000005435808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.436{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005435807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005435806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005435805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005435804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005435803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0trueMicrosoft WindowsValid 734700x80000000000000005435802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005435798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005435793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005435789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-9719-6137-95A6-00000000F001}49965928C:\Windows\system32\conhost.exe{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88AtrueMicrosoft WindowsValid 10341000x80000000000000005435784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.436{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88b70024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88013a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fe665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64) 154100x80000000000000005435782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.428{4DF467A6-FDC0-6138-4ED4-00000000F001}5952C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x80000000000000005435781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:28.421{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000005435780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:28.421{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x80000000000000005435779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005435778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005435777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005435776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005435775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000005435774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005435773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 534500x80000000000000005435755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXE 12241200x80000000000000005435754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000005435753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 734700x80000000000000005435752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x80000000000000005435751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005435750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005435749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000005435748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005435747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005435746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005435745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 12241200x80000000000000005435744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:28.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005435743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.421{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005435740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005435739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-9719-6137-95A6-00000000F001}49965928C:\Windows\system32\conhost.exe{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exeMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1trueMicrosoft WindowsValid 10341000x80000000000000005435734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.405{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88b70024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88013a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fe665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64) 154100x80000000000000005435732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.402{4DF467A6-FDC0-6138-4DD4-00000000F001}7336C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x80000000000000005435731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:15:28.389{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000005435730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:15:28.389{4DF467A6-9719-6137-94A6-00000000F001}3852<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000005435729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:28.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87FF444F216FDA5AB0DCC7631F40045D,SHA256=A9258E9BC8A86316617A889F0B04BA0E70EDA80802D41DACFD3221482DC5BAAFfalsetrue 11241100x80000000000000005435850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:29.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:29.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713B265839439FC46490D0DA2755A75F,SHA256=06B4C24330E72E6DB6DE08C1C66C8299E85E2C58F5F0ED5236ACAF77E5B249CBfalsetrue 23542300x80000000000000001536037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:29.570{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9B0A71139C8E759D4D57DBC7D0B126,SHA256=44DA58CC8898CA3F41F4BC16E523FCB664726739B40265A5A2FE411F31E187D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:29.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:29.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=474E297CACBC7B770EC1E2B823A0F771,SHA256=F5B07EB1B49D9E7133E4527079F660E1BA18165C208E1A573CC5AB9E418AB2F6falsetrue 11241100x80000000000000005435846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:29.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:29.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712BEF93C0B92DF4B066742C72110426,SHA256=A8D6D2E50B6B812AB425BF113C6EF798A8257DB21292E6A6E5BDAAE885770BE8falsetrue 11241100x80000000000000005435855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:30.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:30.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4978908F294CC09FD9A05576AAC3F8,SHA256=1BCF3291013F61952DB8B406D89FE7EA612F94B461C500D46500E16FE2BF69A4falsetrue 23542300x80000000000000001536038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:30.572{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545A674A196E032D579B704958669973,SHA256=B99294FE92E294DDDCC31F9A74C3E1BEB4492F7DFA9E95F8DBCE2DCAB211C2F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005435853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:15.756{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63431-false10.0.1.12-8000- 11241100x80000000000000005435852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:30.264{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005435851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:30.264{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=27746F60D4C4A3F1D199D7C67905233C,SHA256=474A270AB571F7258DF2D46E688BA7DBE9FA6E2E2BDE64F4FB24B55CE26BEE8Bfalsetrue 23542300x80000000000000001536041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:31.580{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B55DBB351D50ABD74BB6FB3E7EC7532,SHA256=33CC02CE8DC60A8CDEA3D3F493BC5C543A08AFCCAC2A1EA51D4E128BE0D3BA7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:31.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:31.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CED5B5EC60F33AC2E1D0E115907BD5D,SHA256=9FB6B0BCAEC4A2B8AE33053766D4E63E3C2E5D6ABB806D11610ED945E3528716falsetrue 23542300x80000000000000001536040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:31.110{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC84A83B32C0C4C0919D55AB11275207,SHA256=946FFED060BF7804438574BCB49DC557CDF418D96A325BD6C307CD798F479F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:31.110{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B664EC91951E95F347A3777D3576BB5,SHA256=250E7D38FAFAE6C4D87AD033DB7816FDD59C975231726A962E3C197A64D467CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.647{AEE49BD1-FDC4-6138-4ACE-00000000F101}59844652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.582{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A8E7A89C8FECA21799ED2A38C81500,SHA256=5A74E2E8756CC52979AC8D8C829482225842B35752552349D58DC5FB1B7E3547,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:32.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:32.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AB2B22AA3527405925468B27F1A89F,SHA256=8C0CF7D3BB7F508C2594451EB4D872CAA14D5BC078205EAA17F16287B4F08259falsetrue 10341000x80000000000000001536050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.529{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDC4-6138-4ACE-00000000F101}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.529{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.529{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.529{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.529{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.529{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FDC4-6138-4ACE-00000000F101}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.529{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDC4-6138-4ACE-00000000F101}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:32.514{AEE49BD1-FDC4-6138-4ACE-00000000F101}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001536042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:24.763{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60669-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005435861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:32.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:32.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4F945339194BA40E33C064F3EFDC573,SHA256=A661FD1AE3119B33A117927614C1DFF606B414C1F2D2E6ECAB3E8F02CE10199Bfalsetrue 11241100x80000000000000005435859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:32.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:32.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=17B234AB2592EEC5BB2008210E33BDEC,SHA256=2CD7D8EE0ADD578E619CD960C918637349379EE05BE5DAE25A407384EEA0938Cfalsetrue 10341000x80000000000000001536072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.915{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDC5-6138-4CCE-00000000F101}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.915{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.915{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.915{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.915{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.915{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FDC5-6138-4CCE-00000000F101}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.915{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDC5-6138-4CCE-00000000F101}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.900{AEE49BD1-FDC5-6138-4CCE-00000000F101}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.645{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663270E4A46D9DF4BE48A5DC5ABF14D9,SHA256=CCF3735123E4F13F0A6CB8C6EB132B463328B57AC159EF2E43EF157850798063,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:33.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:33.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A76F8B4088A597AC5EE8798D473A17A,SHA256=1BED50C314FD2D1957C57503503DBA43C279B1C64D61F1544D9D5B1F4FB72999falsetrue 23542300x80000000000000001536063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.614{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC84A83B32C0C4C0919D55AB11275207,SHA256=946FFED060BF7804438574BCB49DC557CDF418D96A325BD6C307CD798F479F38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.345{AEE49BD1-FDC5-6138-4BCE-00000000F101}57205544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.224{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDC5-6138-4BCE-00000000F101}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.222{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.222{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.222{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.221{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.221{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FDC5-6138-4BCE-00000000F101}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.221{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDC5-6138-4BCE-00000000F101}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.205{AEE49BD1-FDC5-6138-4BCE-00000000F101}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:33.147{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7173MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:33.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:33.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1532BE4196F54C7072727E83862691AC,SHA256=2AB278FB75B7C385104C0F5D1F5F6D9913C539DA06B48BDE674771FE17F264C3falsetrue 11241100x80000000000000005435869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:34.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:34.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFDBD823521F9D46371EA79B8DEE33A,SHA256=B825D07B335173C78CE3CF5D55D720541965946FB19E104D160D0E7191A3ACDDfalsetrue 23542300x80000000000000001536076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:34.917{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85CBCA12A93B8D8C38A0EB8831BD26A7,SHA256=3143E77ADCC597F119E3AA7E812DDC2EC56C16E329F7C5053549D4E9683DC5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:34.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAF1DB9D1696FC7CDCB32A85D97FDF1,SHA256=5157BE38572297BB3343505F2AD72DFA2660F58FFD85288274C0B666BB9397AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:34.147{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7174MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:34.031{AEE49BD1-FDC5-6138-4CCE-00000000F101}55805148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005435876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:35.686{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:35.686{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43B12DD53B9811E2B11666CCC93C71B,SHA256=B4D18ECB4F06B7855CF779ACAB87683AB44E888408D0A5E656FBB82184AA7030falsetrue 23542300x80000000000000001536077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:35.665{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9350EE9D30FE4E95F350C9207CE6FD94,SHA256=BADE19011B89E9D7B316302D3B706E418272D8EA14D3586D5B8EBBB55B574F84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005435874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:21.724{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63432-false10.0.1.12-8000- 11241100x80000000000000005435873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:35.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:35.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CF036461FBDF394A68E73A08FBCB8DE,SHA256=837DCD9A2FFFCBC5601A06A4CBB91F04E85206F8C07DA14E2D946BAE0CF13857falsetrue 11241100x80000000000000005435871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:35.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:35.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65ABC236FE2C880127D780F24B66AE8D,SHA256=A4A9CDEEE5554979ECCC1B72871807B70F80027DBADC15EDAEB144A4F518FAD0falsetrue 11241100x80000000000000005435878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:36.827{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:36.827{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F94314B7CE351E0B667C057C4252D4B,SHA256=8A1DA0023F522621E9E525CC6841C04A3BFF5CD080CD656A10456BFA369C0EDCfalsetrue 23542300x80000000000000001536078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:36.667{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC2E15E32C0D397A14281B85E05C849,SHA256=A2E534DF77AC358A648F786E0B706C1E3F09B4D8F7035E65999082999FD7D8D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:37.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:37.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542FA93EB0E789BBC8B7ED3837E9AEC9,SHA256=8EA787C2053BA00A20A6C89B10B0B1E865DC2F22AAA21AD81C9CC520EC9907E5falsetrue 23542300x80000000000000001536081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:37.668{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3702D4E48F6ED19F645B45DE791B0FE,SHA256=1C1C807AE942D9A277B0E4717EB00F7846D8E1F6E16B819D967BB4C6A2622332,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:37.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:37.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10AB4887CFA8AB74BBD376CA08BC4BCD,SHA256=7E2C0547B5CA2514E74870EA7091C8A23F4CC5B4FC2A7CB4FF7A74AAB0ABAF94falsetrue 11241100x80000000000000005435880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:37.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:37.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57C13182753B39416E411D1A872BD3AF,SHA256=1634A059ED1FE8F8449D83B4C51D871496E77AD112274C28824F93EFA1BA4638falsetrue 354300x80000000000000001536080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:30.775{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60670-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:37.136{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992A1340955420C065A19074D83586C3,SHA256=763325993A2E66C034C3615E70B725DDF2E6B97329B6687EDD7BD9C3502A7654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:38.671{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D4247066EF76FD4CA12B539D029884,SHA256=DD19E6916896D5E92CAAB0B99102349749734387532DF82A7F81053494D5DA47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:38.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:38.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351EBBFB7DDE166DF0BA52B7BBE688A0,SHA256=7DDD418FC96BC06C7FC0FD231C956BE220FABCB8EA6529FD704A7829B2293076falsetrue 11241100x80000000000000005435886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:38.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:38.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E174327822F8492304803C48F111D63F,SHA256=85024C05BA439FEEF9D3F8B241DFA184F791F590C69A34C3A303B4CA16925CCFfalsetrue 23542300x80000000000000001536083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:39.673{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD79CACC69F384FA8576713AC3A0458,SHA256=866A4681125837043B9DC940C4C3B61EDD5BBB1E0E8C23F426B8CF865BC1E82C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:39.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:39.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331F3606D0396EBA3EACB877BCABED10,SHA256=1AF8A872994FC08B479BBADEDA9274C405856E72FC450F6996880E0AD1A15C6Cfalsetrue 11241100x80000000000000005435892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:40.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:40.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24E723C7D1194D7F6AF17BC69A0777C,SHA256=7D053DCA6B79548D0369C7AB1A8CD8107D1AB568B3D26547D2D0BC7BF54E5D22falsetrue 23542300x80000000000000001536084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:40.676{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DCE8BD193F5DCF698A92E2C78A9813,SHA256=799A7A016AB4A28E0F7203E78DDB54204F5A435E7C1101B24D679A98AE0FAA63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:41.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:41.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12669400586E4AC2C6D61AE1D949D376,SHA256=AC29463D2B690681917C25B3CC38A957135C5354F19A929A5269EDD0FB024387falsetrue 23542300x80000000000000001536085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:41.678{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EAB3775473016C9FDC9073CE8F7115,SHA256=B90FBEA960F6CEF5F195B39D2CEB24257A5650A77D5390AC9FDA633AD4920855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D6B456F1B562E0EC05515E40E353772,SHA256=C3592F20904FE83B92F4D68198A073B91BA4A3E72703D8F4767753AC242D47B2falsetrue 11241100x80000000000000005435894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CF036461FBDF394A68E73A08FBCB8DE,SHA256=837DCD9A2FFFCBC5601A06A4CBB91F04E85206F8C07DA14E2D946BAE0CF13857falsetrue 10341000x80000000000000001536096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.903{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDCE-6138-4DCE-00000000F101}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.903{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.903{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.903{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.903{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.903{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FDCE-6138-4DCE-00000000F101}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.903{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDCE-6138-4DCE-00000000F101}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.897{AEE49BD1-FDCE-6138-4DCE-00000000F101}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.681{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D32CC8721AAD5867DBAE65745AE785,SHA256=8F02F0BFB6C9FD35889E4478C40658D954CCBF6020FF1BD16B2BD14358E3783C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005435904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:27.724{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63433-false10.0.1.12-8000- 11241100x80000000000000005435903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:42.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:42.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C46C61F1340600B3ECD9CA33391F407B,SHA256=FE14FC1272DEF9DACCF4C4EAE4CD10B67596AE05E7DBCD7DA47B7BCF11CFAA5Dfalsetrue 11241100x80000000000000005435901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:42.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:42.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AA309934EC2A3B8D771A51D03EDAF7C0,SHA256=F781590DC58545EC7D79EACFC1CB679D0A7A665BFC4734984A798509316DD3A1falsetrue 10341000x80000000000000005435899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:42.155{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AF6B3F96ABA20CE94F74D94793224F2,SHA256=58AF66DEE7071FF985ABDB3A3EC48A06631036F0224FCC1B71DC6947CB62B22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:42.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AAD06BADC44CD6E46D34653CBD37CEF,SHA256=302F8188E8E23CE7233B371A12C44927AEC43EA2A20F8DF18F6E715D120A85D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:43.982{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AF6B3F96ABA20CE94F74D94793224F2,SHA256=58AF66DEE7071FF985ABDB3A3EC48A06631036F0224FCC1B71DC6947CB62B22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:43.681{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889E2F15C070C47D964D5CCF0F2BCE25,SHA256=1933FB38E52DD4786F8694CF2C880749BB31A3274070AF6F6D57F61A89BBB204,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:43.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:43.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=610F21A9C7BCACB7BC71DAF1DC785627,SHA256=1A556646F4BC06B19E5A9D9D4F31BC16B4FDDC5B1C8DAE74C51615E88B3C8D85falsetrue 11241100x80000000000000005435908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:43.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:43.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F853E904063DF95398F3DF79970C8358,SHA256=16050FB43731C52ED0F13ADB1DA667CDA59210CA2A634FE5323A09D06FECA73Afalsetrue 11241100x80000000000000005435906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:43.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:43.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D6B456F1B562E0EC05515E40E353772,SHA256=C3592F20904FE83B92F4D68198A073B91BA4A3E72703D8F4767753AC242D47B2falsetrue 354300x80000000000000001536097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:35.802{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60671-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:44.683{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5CA718908A9AA2FD4ED9381F490899,SHA256=BD8FAF74BE9169B45E612EB7EB5A0B8AB56D08CD61F4A2607180673D68324A25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:44.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:44.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E32ACF0D9CD4250CCD8C00935C6D4C,SHA256=F3ECF91EE82688259671DA525D336B42442E89E1EDDDDB3F9E8E4227167BF4D4falsetrue 23542300x80000000000000001536101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:45.685{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5FA07B59C455CEEB4E63861E7CEDCC,SHA256=2728F92A6B80C2B3995D499B2F320602B5348813AAF2B70DCE92A8F94F140D5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:45.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:45.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2112C17C89BCE448ECAFAE01D6A38347,SHA256=07198AD6CB81E13EE78EDA0EA6E99046F49FEE8CB545A6C8A227BC9F9DB7B55Cfalsetrue 23542300x80000000000000001536102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:46.688{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570E5B1AD71F5EE8C31A9B6B537E6C2B,SHA256=2DE8323A15AADD7889A0C2C0FBECBDF26B1EB35B213286A1BF64359BD24B5259,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:46.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:46.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C47BE632CE898B64933AC03EB26E7D79,SHA256=E8DFC3409552AFFAE645C311E53565F6D186121F1E120606E10B81DC829FA759falsetrue 11241100x80000000000000005435916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:46.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:46.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE683B4AC8DB9850C72D4B0B1B5FEEE,SHA256=16ECEA1B4CC0AC3788725B8891FC72BBCB0992AF44571E901F42211B27D271C1falsetrue 23542300x80000000000000001536103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:47.690{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657C04B2C3D4E607C0F80902B6E72927,SHA256=2BA7266ACE14B6B5DE2E3D3FC4DE5D4F4804C93EA431555A4BF4E1FF98834B2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005435927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.707{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005435926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.707{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005435925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6818DDD8F14AE3E1DDF7E722CB08A42,SHA256=7ECDBD112F06B0D93AD2229D0CCECE0FA7839031AA073BC83F41F42AA975D0EDfalsetrue 354300x80000000000000005435923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:32.818{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63434-false10.0.1.12-8000- 11241100x80000000000000005435922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24A340E0CBAF4FB359AE1B081810C2A9,SHA256=5CDA1D8EC27DA6530007A1C0E06683C86E1A04A22C7E97821FCC750E44D98FC4falsetrue 11241100x80000000000000005435920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.066{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:47.066{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426DB89D276DAEA7914D480A93203C22,SHA256=F82A0F2CEFE5742DCE11E688E84A6E943263370BCB4DEF9A6593E406E43AB747falsetrue 23542300x80000000000000001536105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:48.692{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B24E044285ABA864EC0FFA453584FB,SHA256=7C3DD20406D52B44C01AD350EC87BD1CD9C7B28537DE3BE095968F3BAB2BD8B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005436426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.853{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011002C\VirtualDesktopBinary Data 12241200x80000000000000005436425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.853{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011002C 734700x80000000000000005436424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.848{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 13241300x80000000000000005436423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.848{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x80000000000000005436422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.848{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005436421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.848{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005436420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.848{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 11241100x80000000000000005436419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BFB87369F05D6DE04B3605DAB9D3AA,SHA256=D7835BD3188FC2BCA9C34FD873CCE2D2E90D0FA71CDC3C68A876B3F67F19B44Cfalsetrue 12241200x80000000000000005436417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.832{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005436416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.816{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 734700x80000000000000005436415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.816{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x80000000000000005436414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.816{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 10341000x80000000000000005436413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.816{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.816{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.816{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=31B320D99570E7D6FFE82CED32FD3863,SHA256=66782B6B23A96A8CA8D1B6EEACA4296683B90DB006015D00DBC4E3B8D51B5995trueMicrosoft WindowsValid 534500x80000000000000005436410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exe 734700x80000000000000005436409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000005436408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x80000000000000005436407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x80000000000000005436406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x80000000000000005436405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x80000000000000005436404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000005436403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005436402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000005436401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 734700x80000000000000005436400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x80000000000000005436399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000005436398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000005436397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 534500x80000000000000005436396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exe 734700x80000000000000005436395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000005436394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000005436393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005436391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005436390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000005436389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005436388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000005436387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000005436386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 534500x80000000000000005436385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exe 734700x80000000000000005436384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000005436383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000005436382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x80000000000000005436381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 12241200x80000000000000005436380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011002C 734700x80000000000000005436379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005436378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 13241300x80000000000000005436377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005436376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\pzq.rkrBinary Data 10341000x80000000000000005436375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 10341000x80000000000000005436373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 10341000x80000000000000005436370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005436368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 534500x80000000000000005436367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe 734700x80000000000000005436366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005436365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005436364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x80000000000000005436363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005436362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005436361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005436360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.801{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 534500x80000000000000005436357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exe 734700x80000000000000005436356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005436354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005436353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005436352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000005436351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings 734700x80000000000000005436350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXEMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301trueMicrosoft WindowsValid 12241200x80000000000000005436349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings 10341000x80000000000000005436348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}31327508c:\windows\SysWOW64\calc.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\windows.storage.dll+1b9a58(wow64)|C:\Windows\System32\windows.storage.dll+1b9895(wow64)|C:\Windows\System32\windows.storage.dll+1b98f8(wow64)|C:\Windows\System32\SHELL32.dll+173251(wow64) 154100x80000000000000005436346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.796{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exec:\windows\system32\calc.exe 12241200x80000000000000005436345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000005436344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000005436343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000005436342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x80000000000000005436341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x80000000000000005436340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 10341000x80000000000000005436339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-3F46-6132-0B00-00000000F001}6367488C:\Windows\system32\lsass.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-3F46-6132-0B00-00000000F001}6367488C:\Windows\system32\lsass.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValid 734700x80000000000000005436336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.785{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x80000000000000005436335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x80000000000000005436334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x80000000000000005436333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=770C1528B78CC7B2BBF0AF74CEF0C201,SHA256=100514AA8D39939A9619BA454C25B570F35CFD864DC347B45F5F144CA47E7AB6trueMicrosoft WindowsValid 734700x80000000000000005436332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x80000000000000005436331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=039F872B9E944D6588D144FE08B79A82,SHA256=6E9B077330E005F81EF80753673E873A0A73E55DBE50E586B52516D92EF0B6C7trueMicrosoft WindowsValid 734700x80000000000000005436330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x80000000000000005436329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x80000000000000005436328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ieframe.dll11.00.14393.4583 (rs1_release.210730-1850)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=808D1FF9595090E003169ECCF5A01998,SHA256=F4211A12B2FA4DC0FBD6A302B8992047BC96A1E9E015D53205C42F909C87E95DtrueMicrosoft WindowsValid 734700x80000000000000005436327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x80000000000000005436326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x80000000000000005436325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x80000000000000005436324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 12241200x80000000000000005436323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 11241100x80000000000000005436322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 12241200x80000000000000005436321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 23542300x80000000000000005436320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E720B10706CCCFB97B286734E60E06F1,SHA256=2F184641DB7A18C1CCEF9EAF3136F5026B16ED6C807411F02184BEEA25FB3426falsetrue 734700x80000000000000005436319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.770{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=3E0252D377C7905383A3780B13495CA9,SHA256=FD24AD22E174873DEDC5BB091A9E32CF2689063C5B18E79615B3B52081582FADtrueMicrosoft WindowsValid 734700x80000000000000005436318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x80000000000000005436317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\Windows.Shell.ServiceHostBuilder.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Shell.ServiceHostBuilderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Shell.ServiceHostBuilder.dllMD5=FA980AB8F03E094783137126D17E568C,SHA256=DADF71326270DBFE2D17A45D5C50A4FCB7A32ACECAB354299977FBB34135BE89trueMicrosoft WindowsValid 10341000x80000000000000005436316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x80000000000000005436314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x80000000000000005436311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000005436310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000005436309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.754{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 11241100x80000000000000005436308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF859998F34B85DA026715A6C15D05B,SHA256=49911AE59793C2FC851B745000A546DDD2F005B5240C56BDEE7BDA190DC500E7falsetrue 10341000x80000000000000005436306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.738{4DF467A6-FD82-6138-43D4-00000000F001}73486292C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.738{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\AppXDeploymentClient.dll10.0.14393.4169 (rs1_release.210107-1130)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=CAB72C75488BEBBCE616BE92273067BC,SHA256=4C45D209A569E056CF52ED53968F926729DB1BF36043101A5798D47B421352C3trueMicrosoft WindowsValid 734700x80000000000000005436304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.738{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x80000000000000005436303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000005436302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000005436301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000005436300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000005436299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000005436298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000005436297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005436296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 12241200x80000000000000005436295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005436294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005436293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 12241200x80000000000000005436292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005436291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005436290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005436289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x80000000000000005436280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 12241200x80000000000000005436279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 12241200x80000000000000005436269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000005436267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x80000000000000005436266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005436265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000005436264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x80000000000000005436263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000005436262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005436261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x80000000000000005436260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005436259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005436258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x80000000000000005436257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005436256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005436255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005436254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005436251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005436249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005436248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005436247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949trueMicrosoft WindowsValid 10341000x80000000000000005436245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.723{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-FDD4-6138-53D4-00000000F001}57926136C:\Windows\SysWOW64\cmd.exe{4DF467A6-FDD4-6138-55D4-00000000F001}3132c:\windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x80000000000000005436243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.722{4DF467A6-FDD4-6138-55D4-00000000F001}3132C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEc:\windows\system32\calc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exe 734700x80000000000000005436242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 13241300x80000000000000005436241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.707{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005436240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.707{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000005436239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.707{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005436234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.707{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005436233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005436231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011002C\VirtualDesktopBinary Data 10341000x80000000000000005436230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005436229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011002C 13241300x80000000000000005436228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005436227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005436226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000005436220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000005436219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005436216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 11241100x80000000000000005436215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 734700x80000000000000005436214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 11241100x80000000000000005436213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 734700x80000000000000005436212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 23542300x80000000000000005436211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA776BD185FE07C4D0EEC8CFF09B91E5,SHA256=F6EED6D7CB71705273DD8701C04761B4E39D6727335DE9352D9605E7AE1C11E9falsetrue 23542300x80000000000000005436210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D72378B06DEB7D7C52C7F973582B3B4,SHA256=9724C6DB8698BE97563D74191F3074A3D2941D5F61B0A5C2794AFC19724F8D73falsetrue 734700x80000000000000005436209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005436208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005436207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005436206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005436205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 10341000x80000000000000005436204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.676{4DF467A6-FDD4-6138-54D4-00000000F001}78365736C:\Windows\system32\conhost.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005436202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005436201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000005436200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005436197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005436193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4583 (rs1_release.210730-1850)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=2FB0A16E47FFDD4CBB3E80E58ECD8AE1,SHA256=943949336C9A3707F0A9FFD76A6D20278B6EE72513E8D193D04B27133C36B7C6trueMicrosoft WindowsValid 734700x80000000000000005436188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005436187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000005436186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000005436182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.668{4DF467A6-FDD4-6138-54D4-00000000F001}7836C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exe 734700x80000000000000005436181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005436180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005436179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005436178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005436175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005436173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005436172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 23542300x80000000000000001536104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:48.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D487A91B12F45334F5082B602344A4BC,SHA256=60CF85380512ADE96EC69D3A3DE20823A61469782A1F6E7106BEF0F4EA290A7D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005436171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7FtrueMicrosoft WindowsValid 10341000x80000000000000005436169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-52D4-00000000F001}51162300C:\Windows\SysWOW64\rundll32.exe{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|C:\Windows\AppPatch\AcLayers.DLL+1b887(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+43f7(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+41e1(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+2c37(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+1273(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+14d8(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+15be(wow64)|C:\Windows\SYSTEM32\ntdll.dll+6ea4e(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3eea6(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52fcc(wow64) 154100x80000000000000005436167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.662{4DF467A6-FDD4-6138-53D4-00000000F001}5792C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 c:\users\administrator\appdata\local\temp\docusign.cpl 734700x80000000000000005436166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.660{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Users\Administrator\AppData\Local\Temp\docusign.cpl-----MD5=187E6745C0647E05C6624831A40BDA1F,SHA256=28221016EF84D1B2D71C6450AB9DDF30C633C23810A7C7D134A97B41A9045F0Ffalse-Unavailable 734700x80000000000000005436165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x80000000000000005436164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 10341000x80000000000000005436163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x80000000000000005436160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=BFCFB0177935E235B1FEBADE3694839D,SHA256=CD1F41DAC68DF0F1F87F18DA18FAE8EB5B4260DFA400BF5392367CB12C0BFF7EtrueMicrosoft WindowsValid 734700x80000000000000005436159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000005436158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77trueMicrosoft WindowsValid 734700x80000000000000005436157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x80000000000000005436156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x80000000000000005436155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEBtrueMicrosoft WindowsValid 734700x80000000000000005436154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.645{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x80000000000000005436153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=AA7C77E4D80A83624BACD72A0A22E374,SHA256=E6B8C76FA6163B808D6B797B1227622925E2E861B383FB132C6B3D6BA24D71E3trueMicrosoft WindowsValid 734700x80000000000000005436152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000005436151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x80000000000000005436150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000005436149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000005436148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000005436147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000005436146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x80000000000000005436145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000005436144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000005436143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x80000000000000005436142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005436141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000005436140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x80000000000000005436139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000005436138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005436137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x80000000000000005436136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005436135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x80000000000000005436134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005436133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000005436132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000005436131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000005436130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005436129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\AppPatch\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=3662AA8F2034650E7C045F1BCA730DDC,SHA256=55FEF94CB7F703BEB70D199F749364219DAE1D13E915389E3F4A2A230B5EBEB6trueMicrosoft WindowsValid 12241200x80000000000000005436128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005436127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005436126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005436125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005436124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005436123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005436122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.613{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 12241200x80000000000000005436121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 12241200x80000000000000005436108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 534500x80000000000000005436102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exe 734700x80000000000000005436101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005436100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005436099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 534500x80000000000000005436097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exe 734700x80000000000000005436096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005436095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005436093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005436092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005436091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02trueMicrosoft WindowsValid 734700x80000000000000005436089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.629{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 10341000x80000000000000005436088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.613{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.613{4DF467A6-FDD4-6138-51D4-00000000F001}59645280C:\Windows\system32\rundll32.exe{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\Shell32.dll+2b55e2|C:\Windows\System32\Shell32.dll+2b584b|C:\Windows\System32\Shell32.dll+2b6af6|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.628{4DF467A6-FDD4-6138-52D4-00000000F001}5116C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 c:\users\administrator\appdata\local\temp\docusign.cplC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL c:\users\administrator\appdata\local\temp\docusign.cpl 734700x80000000000000005436085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.613{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000005436084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.613{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.613{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x80000000000000005436082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.613{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005436081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.613{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005436078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005436077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005436076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005436075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 12241200x80000000000000005436071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005436070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005436069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005436068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005436067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005436066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000005436061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000005436058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69trueMicrosoft WindowsValid 12241200x80000000000000005436057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000005436050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005436049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005436048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005436047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005436046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005436045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005436044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005436043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005436042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005436041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x80000000000000005436040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.598{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005436039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005436038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005436033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667trueMicrosoft WindowsValid 734700x80000000000000005436029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValid 734700x80000000000000005436028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x80000000000000005436027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975EtrueMicrosoft WindowsValid 10341000x80000000000000005436026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.598{4DF467A6-FDD4-6138-50D4-00000000F001}41485240C:\Windows\system32\control.exe{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5|C:\Windows\system32\control.exe+1f00|C:\Windows\system32\control.exe+1094|C:\Windows\system32\control.exe+14d7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.599{4DF467A6-FDD4-6138-51D4-00000000F001}5964C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL c:\users\administrator\appdata\local\temp\docusign.cplC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.execontrol.exe c:\users\administrator\appdata\local\temp\docusign.cpl 13241300x80000000000000005436023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005436022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005436021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005436020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000005436019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005436018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005436017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005436016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 10341000x80000000000000005436015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-3F46-6132-0B00-00000000F001}6367488C:\Windows\system32\lsass.exe{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-3F46-6132-0B00-00000000F001}6367488C:\Windows\system32\lsass.exe{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000005436012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000005436011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000005436010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005436009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x80000000000000005436008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 10341000x80000000000000005436007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x80000000000000005436005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x80000000000000005436004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.582{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000005436003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000005436000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 10341000x80000000000000005435999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-3F48-6132-1600-00000000F001}12482776C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005435998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000005435996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005435995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005435994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005435993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005435992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 12241200x80000000000000005435991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005435990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005435976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005435975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005435974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005435973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005435972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005435971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005435970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005435969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x80000000000000005435968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:48.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005435967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005435966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005435965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000005435964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005435963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005435962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005435961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005435960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005435959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005435958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005435957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005435956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005435955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005435954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005435953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.566{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005435952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005435949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exeC:\Windows\System32\control.exe10.0.14393.0 (rs1_release.160715-1616)Windows Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationCONTROL.EXEMD5=924219B426830FF7476AF7D22AE91DE1,SHA256=CB089C50698BEE280244437BCAF56D3955402A582E5E928DBC8812A5D9C0EF4DtrueMicrosoft WindowsValid 10341000x80000000000000005435948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-4FD4-00000000F001}34365312C:\Windows\system32\cmd.exe{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\system32\control.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005435946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.564{4DF467A6-FDD4-6138-50D4-00000000F001}4148C:\Windows\System32\control.exe10.0.14393.0 (rs1_release.160715-1616)Windows Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationCONTROL.EXEcontrol.exe c:\users\administrator\appdata\local\temp\docusign.cpl C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=924219B426830FF7476AF7D22AE91DE1,SHA256=CB089C50698BEE280244437BCAF56D3955402A582E5E928DBC8812A5D9C0EF4D{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "control.exe c:\users\administrator\appdata\local\temp\docusign.cpl" 734700x80000000000000005435945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005435944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-9719-6137-95A6-00000000F001}49965928C:\Windows\system32\conhost.exe{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005435943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005435942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005435941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005435940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFE488CB593) 734700x80000000000000005435939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2trueMicrosoft WindowsValid 10341000x80000000000000005435938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005435937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.551{4DF467A6-9719-6137-94A6-00000000F001}38524888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff2995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87ff27fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+8807b92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87feaa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+88abb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+87fb002a(wow64)|UNKNOWN(00007FFE48915AE8) 154100x80000000000000005435936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.540{4DF467A6-FDD4-6138-4FD4-00000000F001}3436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "control.exe c:\users\administrator\appdata\local\temp\docusign.cpl" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000005435935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.535{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-09-08 18:15:48.535 11241100x80000000000000005435934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.535{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-09-08 18:15:48.535 11241100x80000000000000005435933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005435932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6FDC65910355561A047825C9F2C0AC5,SHA256=640BC9CFC5B2534100461D234B826F3E2E1BB6EF4234153937D925DB1828B509falsetrue 11241100x80000000000000005435931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.082{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005435930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.082{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740A7969B26782489478327F8EE520E7,SHA256=1D87898CFAA7828063DBB5E516670ACD71D01FDE4E4266192DBA8E2C742D0488falsetrue 11241100x80000000000000005435929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005435928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:48.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1669AC0B00F73BF358046CA394772288,SHA256=F97319E032313E24BD942955D986F809A6F214E5CA8DD02561D6A3F9A0A2246Cfalsetrue 23542300x80000000000000001536107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:49.695{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5494208B51CC96123CB582884D618BD4,SHA256=08C4DD224631463A073D524A30953D05DB82F3ADFD0DAE003E8C58C2EE5C758B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB2FC1C875D242E8090180D71758AAB0,SHA256=C103F2A8C6058C7114FB221AC6F3E15AC9A92EED59F766B6E478CEB3FD40E407falsetrue 11241100x80000000000000005436452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BC2F17DF196C1B191906FFFAAF5B0BE,SHA256=EBCBBD9CB620BD4FCF03616928978FED5E9704290B7F7A06CA32D1A1A597EA12falsetrue 11241100x80000000000000005436450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3CC87125EA68EE98900C3FDE6E66F7,SHA256=3AD56BF7038682A3F86EAB8A63B797FD30BD823F1A9DF4261ECE67159578EEF6falsetrue 11241100x80000000000000005436448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645726B4E2E213C96ED688CCC2687543,SHA256=E22E392A4F92318FBEBCF1AE9BBFDD49DF6276F90FFD754A1306C0DC3AC9DA05falsetrue 354300x80000000000000001536106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:41.782{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60672-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000005436446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValid 10341000x80000000000000005436445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005436443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005436442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000005436441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005436437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005436436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005436435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005436434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000905E6\VirtualDesktopBinary Data 10341000x80000000000000005436433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005436432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000905E6 10341000x80000000000000005436431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}961428C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.013{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:50.698{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBF87F693052CB77F8E18E5A6C20879,SHA256=DF290EFE4AB02F0CFDD30DFC76AA8AB9DA793C599A77638B568915C45A63EEE4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005436475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:50.747{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000905E6\VirtualDesktopBinary Data 12241200x80000000000000005436474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:50.747{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000905E6 534500x80000000000000005436473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.685{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exe 12241200x80000000000000005436472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000905E6 13241300x80000000000000005436471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 10341000x80000000000000005436470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005436469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005436468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}967184C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005436467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005436466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\jva32pnyp.rkrBinary Data 10341000x80000000000000005436465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.685{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005436461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:50.685{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x80000000000000005436460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:50.685{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005436459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:50.685{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005436458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:15:50.685{4DF467A6-FDD4-6138-56D4-00000000F001}8172C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 11241100x80000000000000005436457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.185{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:50.185{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D66F395E27E27AF4570001D00995CD9,SHA256=46FE7334F98AF98E90B070253A0AA3682401A3BE5713BDA1EF20D0D38FF5A370falsetrue 354300x80000000000000005436455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:35.339{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63435-false10.0.1.12-8089- 23542300x80000000000000001536109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:51.700{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83492B261E9855A3DBDBE9044658F1B,SHA256=13A81D67785018104574D7873F228FECA79F427F93B14F604B021D49380DED03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:51.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:51.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15A6267F4C38CD510816CFF45D193F7D,SHA256=665588ED339F0DEFCD0C6D85AB89C812C4ED3836F367705F7DDA374BB89B2789falsetrue 11241100x80000000000000005436477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:51.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:51.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81BA6B20CAC609563BFCC9E4759A7A5,SHA256=48DDA6E8BEB789A9B4EDB46A64D012D3AEBA52961E06072BD12B0BE13136E3B8falsetrue 23542300x80000000000000001536110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:52.703{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C88F3BA828C7105C75D3944839D992,SHA256=B7BA459EF48E123C671DE9FDBAD16E8AC12F9E1CF62D0B6BD194A91B142FE584,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:52.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:52.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30CA8B3F037C26AEF5CD2A229845BC2B,SHA256=57DA04EB1BFAE3FCE627F7E7F09D773589354459FF4453C8876CBD1945E54C32falsetrue 11241100x80000000000000005436483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:52.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:52.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8BE97195A15D9F8EABDC26F989777B35,SHA256=671EAED4E8B1E1B34DEF59A784394AF9D5141E25A701563214C40978DD4C44F9falsetrue 11241100x80000000000000005436481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:52.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:52.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD342C295FFEF21F3D2867AEF92701F2,SHA256=DC4DA8A018B84A82A2BC9FC9C267189FE319930046A6732CFF3E7C16CCCF7CE9falsetrue 23542300x80000000000000001536111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:53.705{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEC9F33B4813E8C138FC728DFCF25A4,SHA256=A6A43B520A37A2EF393B0E86A86A3F6C2C49F50CE9641E80646455DF88934B5A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005436492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:53.700{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005436491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:15:53.700{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 11241100x80000000000000005436490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:53.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:53.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB10344AC45D6236DB4560058D47833,SHA256=E6D73B148CA7F8D5A75BA406DEF97E80CF0DA231D443E4DB1FCABF973FEE3A05falsetrue 11241100x80000000000000005436488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:53.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:53.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A09C5123C42A1269D10766FF75E4FE8A,SHA256=BB9E0F668B279EB0C48658D56AD7D72FE392EDDAB219DFCC10A4248A01DA9015falsetrue 354300x80000000000000005436486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:38.722{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63436-false10.0.1.12-8000- 10341000x80000000000000001536121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.977{AEE49BD1-415A-6132-1400-00000000F101}1081084C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.961{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.961{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.961{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.961{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.946{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.707{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29221887BC5DDA9371F455283D0B2345,SHA256=C7EFFC7254A8FDBED263A88F23BCD11F1B8873A79ED9E1725CD07DA937E0CFD5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:54.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:54.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521E63EF0A0171B677BFEFC13DED512F,SHA256=71ED850022B5D60DA6B314D63B0DB213C5202B8D6A2A18E73CE8285151599331falsetrue 354300x80000000000000001536114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:47.677{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60673-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.024{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4260BC115E80CBF6874D4E8E0B6BD70,SHA256=FD0084CE857AF0680CE65CEC821EE0C99425FDE437AE1A8FE4D1153D207B80F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.023{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7E5D4E2D9459DB35D9BAC3D258EC42E,SHA256=C98FED249B0EDCF1D6934738161D481E7DD6B203428A4F27A6981170874E2C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:55.709{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EE227E9A3F30C0185C72A2D111AF10,SHA256=901472C09BB2BBBE50EB764D8258FAC90F1B7711CF62841CBF57BBC9CC67218D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:55.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:55.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77BC1F5FC3B3B69E8310C3B52417D58,SHA256=81066873EEAFB69B506CF8B7676E5D0E0776538D73BD5F92C14C0A8E429DDD72falsetrue 10341000x80000000000000001536134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:55.029{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:55.029{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:55.026{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:55.026{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:55.008{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-FDDA-6138-4FCE-00000000F101}5688C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.993{AEE49BD1-4461-6132-AE02-00000000F101}804944C:\Windows\system32\csrss.exe{AEE49BD1-FDDA-6138-4FCE-00000000F101}5688C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.993{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.993{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.993{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.993{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.993{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FDDA-6138-4FCE-00000000F101}5688C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.993{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-FDDA-6138-4FCE-00000000F101}5688C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:54.988{AEE49BD1-FDDA-6138-4FCE-00000000F101}5688C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\WIN-HOST-296\Administrator{AEE49BD1-4462-6132-E09C-1B0000000000}0x1b9ce02HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{AEE49BD1-415A-6132-0C00-00000000F101}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001536137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:56.711{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2C4A0269C9CC0DFCD13B8A3DAB0338,SHA256=F5F23E20C4F63662624BE258101C9C6061E9A7EE6BF0CA95127D4C48E60D360B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:56.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:56.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7161C753438F6A9A28FB5B3B88BB0B6A,SHA256=8E19581C507D0E2492270D7447ADDC13A60C542AA41AB9C07B78FBF6CA02781Efalsetrue 23542300x80000000000000001536136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:56.194{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4260BC115E80CBF6874D4E8E0B6BD70,SHA256=FD0084CE857AF0680CE65CEC821EE0C99425FDE437AE1A8FE4D1153D207B80F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:57.714{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870D378D625194EC71B4FF7DF4845F42,SHA256=350E05CFEBC614E16C0A45DD2B15975671995473ABAED20E83AB583F736DC69A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=43D1DEF03C5E55E29BFEBDD969E4926C,SHA256=96AAE72AFCC2D02F7876DFF9151CB01042A792BD3F7A4DDED3E83F2135BF0656falsetrue 11241100x80000000000000005436506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6E25864F84926646F1A42F8FF80F44,SHA256=994F583B33EE48BB9EDC73F0D58353B4C63940077C3E78B51166B7D267B3B734falsetrue 11241100x80000000000000005436504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.388{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.388{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D5664FEAF019F11DAA8B3660290DD8CC,SHA256=20A459004C25FCE746BCE1398018412B60A68937C99D0698079C3377AC97CF3Efalsetrue 11241100x80000000000000005436502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0940397737E2B345BAE0825D875C984,SHA256=0C030A81B47E70007AF1AAFA4A8E7535BA49949C7A4E45A7765E995CED03DBA6falsetrue 11241100x80000000000000005436500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10E5263ABCD2830DAA4FD8385A102100,SHA256=551E6D5A56F608C099B395DCEDC69E0703C96207580A9489F0CB08B356587D52falsetrue 11241100x80000000000000005436513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:58.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:58.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998D5F90DEE00AD8202243A14AEC58E1,SHA256=4F1588D5EAC8E20C90A543A905E6D40BDB67730393736705BF95CD201091CE23falsetrue 23542300x80000000000000001536139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:58.717{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31910D652A54715F480AA0C3B3ECDF43,SHA256=BF16C6FA9104E620B686E8B9CBAC38034353DFF9F037391D24FFBBAEE4762402,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:58.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:58.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3823E210179A9D785B3A608D0AE2B177,SHA256=46D9C116C828A56E262A5250697A108AFD4D09B06E9987A0431229390D0FBEF2falsetrue 354300x80000000000000005436509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:43.738{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63437-false10.0.1.12-8000- 11241100x80000000000000005436515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:59.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:59.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F71AFF7CEE545AEF9E21356AE37366,SHA256=4A16D49D44B90C91CFDCB6ABBB7EEE840DD2C3BB86F3027E7C1C00A6533C8840falsetrue 354300x80000000000000001536142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:52.909{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60674-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:59.719{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B3DC3A20C2E1C5471EE3CE877981F0,SHA256=25E86A097CB3A3C9B5A466650E00DCFD8D87D6273C2982B42780F69EB1D91D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:59.387{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E029C250D60017BFABA9C9821AC35879,SHA256=B9336AF5166EE46CEEE1752562187ACDA2588D25C587F135E17DFF020C3FCCCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:00.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:00.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C0DAA6167876898196C96916E0AAC4,SHA256=4A18A8C6BAB1BB9543F5C36744FCBB5EB28E01E07E2E5D3B6786CC06CB58117Cfalsetrue 23542300x80000000000000001536143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:00.721{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0155955BD7784D488D2199AC9B1CE2A2,SHA256=DD2D312C0A572C936038BB830B696E8F7910BCB37FC807F92ADEB98F5194DD43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:01.723{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF30826BF29CD4CDD76179C9A65B153,SHA256=F9AB91894C061ACA82C0406DB7387B9FA969BA83A9E7690A6064D7FAF94A9C35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:01.544{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:01.544{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFDBAD0CD95F6BC0264217451B50CB4,SHA256=75445A0D783F5A4F887104454CFE001251ECCD5FD7D13E63FCF6539D412F0C97falsetrue 23542300x80000000000000001536144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:01.159{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C011A90FDA38F936A96961C54331F9C1,SHA256=9DB5DA5CCB4925B9FBB5E598E241E99724B600B5BB7B769E6DB9FEF571CDDCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:02.725{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F19633A72763106306F294D59D3059,SHA256=BD2114269CCA33E06BB0FBD1C77DBC045720CEF4566AD459170A3FC3F60A88B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:02.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:02.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B0462D2A6038AB644E34CE29A48571,SHA256=9C04F453BC485A75C097988A01576D8FA4EE83D3AF07F7DAA1F1AB53008F6620falsetrue 11241100x80000000000000005436523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:02.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:02.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E270BD5D88848975EF444959BFDDACD,SHA256=51CF4DDD53D5ED3DA3F5D55868B147AFEAB1137D503A0C7242ECCEDF0EFFD525falsetrue 11241100x80000000000000005436521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:02.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:02.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=449A4C680F97B2D136CC52D7D5110C0C,SHA256=0A650246EE62FEED61B80F1A8CAA1FD9C3FEA2F184A756EE8C9B2C6958A63E00falsetrue 23542300x80000000000000001536147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:03.727{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B982F16107014D1FF9844BDE2EF45B,SHA256=9CAA215F5657855C6EA0E4119FC57C105E5F2BDBFF9BE862EDAC49C6AFD17294,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.607{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.607{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF432B3A40E970AD8367C043670817A7,SHA256=90ECE62B4A8B31B85E2B9155E797CCDF3A1A049670CBE0A727327EAECF195900falsetrue 354300x80000000000000005436532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:49.722{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63438-false10.0.1.12-8000- 11241100x80000000000000005436531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB33EF5A50F47401F2EBC53D393E061C,SHA256=729C3586CF9533A504707B5ECFC6EA7D9E07856ADDB4C0F26787E7259CCFBDAEfalsetrue 11241100x80000000000000005436529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC5F545BB953AC2E7402E66492BF4ADA,SHA256=94E358451C245A444115250C1CF6354D4E15A16E8EF9804032B58FB8B411BC4Dfalsetrue 11241100x80000000000000005436527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:03.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0940397737E2B345BAE0825D875C984,SHA256=0C030A81B47E70007AF1AAFA4A8E7535BA49949C7A4E45A7765E995CED03DBA6falsetrue 11241100x80000000000000005436536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:04.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:04.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D89C9A9D8F2306C450BB5E7870A1C9,SHA256=6AFA21F86AD5F4EC24D2DA2940D677C3134830D4FBC7E7F14056FD72F670684Cfalsetrue 23542300x80000000000000001536148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:04.729{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB491931D3050E5F7C9424248178906D,SHA256=66B7095FFD21387C95999AD76CD3BF87177F98C92EE76FA69F8AFF64EFCAC5E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:05.872{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:05.872{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0762272990D08ED318FD5520ED0186AB,SHA256=250833DAD581C087C10DBC712B43A5D60077AC8C484E013E8DA6C3E2350C784Ffalsetrue 23542300x80000000000000001536151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:05.800{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=89F90846C45943861532B4736F77C597,SHA256=08282CD909F942FDD61D6C70C65D9C7B89470D44C44A32489E0FE20965832CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:05.731{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8846074F1DB6264B89B5E7EEA10E051F,SHA256=F70BB04E1AE5643212B40FCE5A8998E54FEA9FB2FB5FE20ABCD2357AC8DF4439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:05.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0030CB9FA40B564A848DE5A54F188776,SHA256=A5F1554C1B67F2E48BBE012521FBBDCBC76E73CE597FEB128C2F039411A2E67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:06.734{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E43D2281B67BCFA6BA28EE5376272CF,SHA256=FFA18F5756C2FF909F24C02E03553DE3B304CA78AC5C7BC17F14077E07511A28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:06.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:06.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75AF14FFBA727CEEE0F9133F5EBE33E,SHA256=02E42ED797088A0605096853EC9087BD5F76637B96BF787F704DC6DFB05F1F5Cfalsetrue 354300x80000000000000001536152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:15:58.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60675-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005436548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9B1CABCEB48E819460C64DB9C896A5,SHA256=0025F24CBEAA381C7E4D3A3FE43F933205D3CB9E0C699B9E445C3E668D69C661falsetrue 23542300x80000000000000001536154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:07.736{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475693695EE41E9221A2B767951A8256,SHA256=298074CD9D1E282850E0C00E548A9574E8F34D28A7959ED8BEFB0248FA795B75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53BC92D7137B89659325884462DEFF5E,SHA256=7B6F589EDBD3D6B6434076733A9CF7F45BDFC25B55FF90F399619AACE99D286Afalsetrue 11241100x80000000000000005436544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2C3D538817B8D4D39DD162996421430,SHA256=7237DF92633BB9F7E94259DAE636A538C3FCD0DAB4EBEE13117EF19573297634falsetrue 11241100x80000000000000005436542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:07.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC5F545BB953AC2E7402E66492BF4ADA,SHA256=94E358451C245A444115250C1CF6354D4E15A16E8EF9804032B58FB8B411BC4Dfalsetrue 11241100x80000000000000005436554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:08.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:08.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B76B0A81B578A55558763F47A3F104,SHA256=2EAC6428331F5D7B014F747963BCB11F6961C64CE064A77F3479804289E93639falsetrue 23542300x80000000000000001536157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:08.738{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FFB92FE1C9AE10D35E6E48BDD705B3,SHA256=58E3B44DD9B2FC15DC53F7FFF8353489565C6D92182564DA3C553F09276C51E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:08.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:08.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5618D1658807AE8BA00ED03D799830A7,SHA256=6A720629D75583198191D1AAB08CA5609B652267D4F5B355A71A814DEAFECBECfalsetrue 11241100x80000000000000005436550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:08.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:08.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC34BD6C42B177F3A0DC5C105BFA166A,SHA256=D315B7E3CCA0A0839799B34A9940B6D2680DD456C4573838062A1503E54D4724falsetrue 10341000x80000000000000001536156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:08.638{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:08.638{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:09.740{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E16BAAD95960C21E931A8789E0594C8,SHA256=62C5619DEC8261585326AD75A6DE081AEA3FCBF00994C39FBEE5E8503B7E1441,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005436582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:54.872{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63439-false10.0.1.12-8000- 10341000x80000000000000005436581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005436555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:09.070{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:10.743{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B18094BA228C206747F2FF5C5493E59,SHA256=F81F362AC4C9367825054BE69E6DAF03793700BBDB1E8854B22218B24CC683FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:10.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:10.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC3A004BA469AF892A7A71ECD34E016,SHA256=8845E78A27ACBF9BB9EDD10BA16D86E134879020D6E89AA822CF2FDAED6367DEfalsetrue 12241200x80000000000000005436584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:10.257{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005436583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:10.257{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001536160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:10.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=561A2A6C5459573A1E33CEADFC80440B,SHA256=08135667E13CF66B1D10E0C539D418F6573F463493C61E74F1C8EB586D6D1E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:10.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EB2E59F67D0E6674466E53FD08457C8,SHA256=864BF472689DD2B6CFBD708321E621B92BBDC0FD060ECB55D81F1E9AC4F9C529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:11.745{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802E3E15162C3E348AC3B5A800959D25,SHA256=9A017DF4ECE3229DDEF9F27AD7D21DDA18BAFD186E60DAAEDCAE5EB6B1886495,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005436592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.904{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63440-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005436591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:15:57.904{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63440-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005436590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:11.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:11.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DB306A7D88615B90866B72E7EC5E79,SHA256=01E3E1238F33EDE7F81CBEF0D80916C69A8B4ED0CA2021A1805F43BA16224A62falsetrue 354300x80000000000000001536162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:03.732{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60676-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005436588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:11.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:11.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C36BE48F132A7E23B273FBC0A7007C,SHA256=42943C722257D0872B8A2F50B9BB59D2BDF5B26A639E145B213B6451033639FDfalsetrue 23542300x80000000000000001536164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:12.747{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711ED84F6D01754F7E4842C598B6113E,SHA256=052843D7ABC545298044EA86F8FB4C35E406E1FE62C4A3F487A17CE82D452B7F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:12.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:12.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2EFE0BF5522954F2B42A0CC8C65A5B11,SHA256=A33E2D75B8AC045426B784FCE3829438CAF6CD7EF9A85CA2F52C251053051E47falsetrue 11241100x80000000000000005436596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:12.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:12.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46D4F599A50426BF3CE24AAEB7E7C513,SHA256=8779B77182518025657D2CAD6142D2BE97658B1C3F32556831B67F5C799F1D72falsetrue 11241100x80000000000000005436594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:12.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:12.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD36B936782DFAF97AEF05FC5DDDEFF8,SHA256=092B8514DDD912C9A038B380E10D52D37B3D1C0F81DB59D6075A17CF6CE00A76falsetrue 23542300x80000000000000001536166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:13.749{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A681D2775DE321560A2E3C18731510,SHA256=9609B976843D19926CD635D1EFF365C3285F6DC2FBD99D76154BD244BBDFFF5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:13.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:13.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F5FD9681B2CF64E5F6723D25F79DE0,SHA256=7F0E4CDB8A4DC7F9FB512B8DC5AD43DDE2BD6460B2254EC821B39AEF8F93AEC2falsetrue 23542300x80000000000000001536165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:13.085{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:13.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:13.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C401F0E30FA5696E98E703CB552F7C55,SHA256=D3DD466BB6EB4B85786A234A5196DDAB8A2A46664A888570602D1F16CDCCAF93falsetrue 23542300x80000000000000001536168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:14.751{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF111F9AAFB3FD1918D21A3D6F0E269B,SHA256=58A9A859D58056901158F58AFCCC11E4BF0A67C8541F7F87DB5FAA8495467DD5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:14.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:14.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9604FCCBEA2FAA91E751AA3D5082E6,SHA256=79206465C52CE4198A8DDA0FDDBD0B654B63FED95938ECA9E95012F29871394Dfalsetrue 23542300x80000000000000001536167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:14.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=561A2A6C5459573A1E33CEADFC80440B,SHA256=08135667E13CF66B1D10E0C539D418F6573F463493C61E74F1C8EB586D6D1E38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:14.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:14.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC0938BBE7E1B57D9EE027E1D98427E,SHA256=76955E47836085312AE8022B6D679A29F7F1D42B27AE0A8E21D93D281B1ED541falsetrue 23542300x80000000000000001536171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:15.753{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1987FA8E7943AC2C64661A042840F347,SHA256=4963B6D67E3AFED77A085F7637037F1D3EC1BB827F79B764441756F714EDD42A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005436609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:00.810{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63441-false10.0.1.12-8000- 11241100x80000000000000005436608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:15.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:15.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FE659AAE3B0432D32853A39459F9D3,SHA256=488BB68219AC2C5445B01760C17BA9179FB1D933A8495132F4BE720475D25044falsetrue 23542300x80000000000000001536170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:15.169{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F889778354FEE40DBB329ED61F286E61,SHA256=734BD3B24737D18B39FD6C49514F664C4BBCE97DF0EE101C901412EE2339F419,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:07.741{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60677-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001536173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:16.756{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6955F5B82F30CD61EB9965FF843076A9,SHA256=792DECF3DC2BE0F3D37BC196A414A6B366BAC17F98A68E8A6CB8FBB5D1AD5427,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:16.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:16.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D564A84A88762C40EC70C02A68734C4,SHA256=0A4D93D7C8B4DC726FBE1CBE26820EABC2DCD0E1672A9484FFDD9D16515D556Cfalsetrue 354300x80000000000000001536172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:08.821{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60678-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005436613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:17.993{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:17.993{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47876EC52C5A1ADB91E25FBFDC6683D8,SHA256=3DBC6D1448024782A0127AD035ACF63B5D45A204891B47648349C60B20DC8ECFfalsetrue 23542300x80000000000000001536191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.757{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55127F8EDE42DF572CC9E3A0D87101D,SHA256=1A5F734EF05692935EB5E9B40C89A4DF45447CBAD2BC7AF826805A2E1D49D7B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.695{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDF1-6138-51CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.695{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.695{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.695{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.695{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.695{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FDF1-6138-51CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.679{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDF1-6138-51CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.679{AEE49BD1-FDF1-6138-51CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001536182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.140{AEE49BD1-FDF1-6138-50CE-00000000F101}16723336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.025{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDF1-6138-50CE-00000000F101}1672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.025{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.025{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.025{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.025{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.025{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FDF1-6138-50CE-00000000F101}1672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.025{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDF1-6138-50CE-00000000F101}1672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:17.010{AEE49BD1-FDF1-6138-50CE-00000000F101}1672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.759{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33755EFFF9DB1A18FCA4039272C91DE,SHA256=83EA84B5B1C11F7BFA985401C12CD90DD4D602E6CF19C62DF232566C4890E6AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.501{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.501{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=483C48D927664DD6296FCF92D4265664,SHA256=5333A55CE1A02908A3722430C35665EED62CABAF66E616D433CC6EAA9B39627Bfalsetrue 23542300x80000000000000005436620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.213{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7183MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005436619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.212{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71832021-09-08 18:16:18.212 11241100x80000000000000005436618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.211{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71842021-09-08 18:16:18.211 11241100x80000000000000005436617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=40A71C4F4B6DD1C5AED2F1BB79C63FB4,SHA256=6B2FA1622DD772EA4A32FD3972863873591F5B4F5B2421170A8C263FA2821BCAfalsetrue 11241100x80000000000000005436615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.008{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:18.008{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B60953BCB30AC32D01BB0D200CA34F9F,SHA256=E559A400F3644148DF96FC1028CF5EBB92E5E7C15DAF4BF3F9438434DC91B064falsetrue 10341000x80000000000000001536200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.376{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FDF2-6138-52CE-00000000F101}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.375{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.375{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.374{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.374{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.374{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FDF2-6138-52CE-00000000F101}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.374{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FDF2-6138-52CE-00000000F101}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.359{AEE49BD1-FDF2-6138-52CE-00000000F101}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:18.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F559FCB03E076C7CF79AC18E784C906,SHA256=E3E6E992BFAE267D2609A1836DE81713B34B2A1B5B55001CCB8DDEF735B6319F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:19.760{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E989CC5B3BB4CE7808128A7C2366131,SHA256=FC9C120CEB244BEE4A10B04987DAF89AFEBC9E9F986069B6E08C43F6C4A7016D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:19.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:19.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDC0E1520F17403E905436B679BAFA97,SHA256=CA28CFA8BAE258D7E7D90BAFA04D2E5E5BF8AB88C0037EFE3FC7B07A3093F99Cfalsetrue 11241100x80000000000000005436627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:19.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:19.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F58A411B1BA4BFA381A442FF88A1D1,SHA256=5875A9DE36ED99A6869BA1101F6A3F7DB2D405E589BFF97EA92E2CAE569E6AF2falsetrue 23542300x80000000000000005436625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:19.220{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7184MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005436624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:19.001{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:19.001{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD6AD0EE39073F0283DA419318E0CF1,SHA256=E5651CE8C8AD3DADB69B5AF026BFE8F2EF5EA57DD556671137D6746A8FEF6961falsetrue 23542300x80000000000000001536202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:19.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D556B186FA13F9D3499F5E1D76B15BF,SHA256=AFC576FB2727366F21498A8DD11B1E6BD4BB82F4A8931D266C5C38FA77C6E53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:20.763{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADD51E65AE7DCE3854F367FA276B120,SHA256=10570B3FC54A3BD864C25774E5DC5B454913606077978A73FF68107067EED66C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005436632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:05.842{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63442-false10.0.1.12-8000- 11241100x80000000000000005436631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:20.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:20.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BD5B36D426F9F7F75CFDB2951767A1,SHA256=97E3380A851735D0315A43E81E152D76CF297D72FF0AA136ACDA64B0130290F2falsetrue 23542300x80000000000000001536216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:21.765{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7330D1A7C24D49FAC409A94346079BA,SHA256=AFE8A7AF14B12CAFE922E9EE39D081AE2D241E9C9B7873F096CE8C31E97E1597,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005436690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.470{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005436689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.470{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005436688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.470{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005436687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.470{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005436686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005436685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005436684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005436683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005436682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005436681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005436680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005436679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005436678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005436677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005436676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005436675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005436670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005436669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005436667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005436665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005436663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005436662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005436661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005436660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005436659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005436657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005436656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005436655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005436654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005436652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005436651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005436650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.345{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005436649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005436648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005436643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.329{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.315{4DF467A6-FDF5-6138-57D4-00000000F001}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005436640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:21.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:21.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:21.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:21.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:21.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:21.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005436634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:21.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666F89C7C663ED5AC8A7F61CE3776AF1,SHA256=96197F1A8E3F7E04FC711C37375364137D62D7907D1C33E070D305326E5BEC1Ffalsetrue 13241300x80000000000000001536215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001536214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a50d025) 13241300x80000000000000001536213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d5-0x3e412f08) 13241300x80000000000000001536212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dd-0xa0059708) 13241300x80000000000000001536211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e6-0x01c9ff08) 13241300x80000000000000001536210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001536209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a50d025) 13241300x80000000000000001536208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d5-0x3e412f08) 13241300x80000000000000001536207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dd-0xa0059708) 13241300x80000000000000001536206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:16:21.418{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e6-0x01c9ff08) 354300x80000000000000001536205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:13.830{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60679-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:22.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FACF9CF6BF02AE8B1852BE2E46F9AB,SHA256=285F61A6533880C7F824A2A7CBE4915C95FA7FC371C36739EF11CA8FA6CD77E6,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005436812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.798{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005436811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.798{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005436810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.798{4DF467A6-FDF6-6138-59D4-00000000F001}77722828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.798{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005436808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.798{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005436807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.751{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.751{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F796AD28DF4C1F9428FA42A1B704A74,SHA256=B80DAA3672CCA2BF0F0C5374BA8E1DFC3AD8591A0626180A500C0A319C6422CCfalsetrue 734700x80000000000000005436805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005436804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005436803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005436802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005436801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005436800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005436799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005436798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005436797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005436796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005436795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005436794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005436789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005436787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005436785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005436783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005436782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005436781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005436780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005436779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.673{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005436777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005436776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005436775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005436774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005436772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005436771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005436770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005436769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005436768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005436763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.658{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.654{4DF467A6-FDF6-6138-59D4-00000000F001}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005436760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.642{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:22.642{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.642{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:22.642{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.642{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:22.642{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005436754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EBFC42F749634CF94B556875D25C255C,SHA256=96102352DFD45E0B4DEF673F8E2A68FB9A5776ABAED30CF958CCF6EE5F140EDAfalsetrue 11241100x80000000000000005436752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDC0E1520F17403E905436B679BAFA97,SHA256=CA28CFA8BAE258D7E7D90BAFA04D2E5E5BF8AB88C0037EFE3FC7B07A3093F99Cfalsetrue 11241100x80000000000000005436750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE60A6C176B365A7C09EBAF0FA2FFDE,SHA256=2934D3B0874BB1419148D71ED6D6B6D633982EE0F9AFE9BCCE29DB5CFE274D5Bfalsetrue 11241100x80000000000000005436748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943AEC8B3E3E95CE8B3724EECB756A87,SHA256=C0A8109823417C70F9EBAB3F3444ED00F46BC824C6B62EECF021CB77F4BBD702falsetrue 534500x80000000000000005436746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.142{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005436745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.142{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005436744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.142{4DF467A6-FDF6-6138-58D4-00000000F001}41964664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.142{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005436742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.142{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005436741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.033{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005436740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005436739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005436738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005436737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005436736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005436735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005436734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005436733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005436732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005436731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005436730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005436725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005436724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005436722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005436719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005436718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005436717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005436716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005436715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005436713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005436712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005436711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005436710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005436708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005436707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005436706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005436705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005436704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005436699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.017{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.001{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.002{4DF467A6-FDF6-6138-58D4-00000000F001}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005436696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:23.770{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858064AE4247EC6123E3BB874432082D,SHA256=DD16A402CEDF0C6E9920C4CD989498CE1186D4BD996A3BAB052F1FC7DC53FC60,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005436933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.892{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005436932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.892{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005436931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.892{4DF467A6-FDF7-6138-5BD4-00000000F001}77405408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.876{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005436929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.876{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005436928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF672FB123E829A498B08A51BDF9798,SHA256=B87D7F9760826F77FB51C7B6035C1B39D16E1BC93451964912CC6050C42947DCfalsetrue 734700x80000000000000005436926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.767{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005436925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.767{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005436924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005436923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005436922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005436921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005436920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005436919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005436918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005436917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005436916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005436915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005436910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005436909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005436907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005436904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005436903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005436902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005436901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005436900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005436899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005436897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005436896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005436895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005436894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005436892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005436891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005436890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005436889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005436888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005436883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.751{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.737{4DF467A6-FDF7-6138-5BD4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005436880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:23.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:23.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:23.736{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005436874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52A82128D28175C6D8074DE9955AFBDE,SHA256=1534D861D08B9A3B083EFCC109AC02AFA6C424BC6949C6F1647C49C5EC3C1AB7falsetrue 11241100x80000000000000005436872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005436871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8142FCEC9EFB742DE9B74D7FF89E11D5,SHA256=857954DC5DF70FC0E8A6A135FD319FF3F64BFC55C053B4C69790C3D33FDF0CD7falsetrue 11241100x80000000000000005436870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCF90BE0CCFE34D7AB5D31C2CF074A6,SHA256=61C3D01E79EF402EECCE49EA3D2A297FDAC366B156608CBAC4476A49811562A3falsetrue 534500x80000000000000005436868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.345{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005436867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.345{4DF467A6-FDF7-6138-5AD4-00000000F001}77487692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.345{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005436865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.345{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005436864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.236{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005436863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.236{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005436862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.236{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005436861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.236{4DF467A6-FDF7-6138-5AD4-00000000F001}7748\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005436860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.236{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005436859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005436858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005436857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005436856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005436855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005436854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005436853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005436852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005436851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005436850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005436849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005436848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005436847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005436846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005436845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005436844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005436843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005436842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005436841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005436840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005436839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005436838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005436835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005436830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005436828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005436826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005436821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.220{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:23.206{4DF467A6-FDF7-6138-5AD4-00000000F001}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005436818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.204{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:23.204{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.204{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:23.204{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:23.204{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:23.204{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:24.773{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE00E06CDA179528CD3B72592A365D0C,SHA256=1FEAA2F6CF7D5AFB3548A6AE2C4EE1C6495DD61638596FAFA3BBE85A127B78E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005436997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.954{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005436996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.954{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AA7F8C8E5BEFFBE9716E4E2686A7A0E,SHA256=70753EF63D106A9EDAEB65FC5EC1CC9FA1185D729F0BF14BCAF5D5EF4405CA0Ffalsetrue 534500x80000000000000005436995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.548{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005436994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.548{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005436993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.548{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005436992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.548{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005436991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005436990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005436989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005436988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005436987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005436986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005436985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005436984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005436983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005436982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.439{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005436981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005436980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005436979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005436978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005436977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005436976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005436975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005436974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005436973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005436972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005436971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005436970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005436969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005436968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005436967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005436966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005436965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005436964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005436963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005436962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005436961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005436960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005436959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005436958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005436957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005436956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005436955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005436954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005436953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005436952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005436951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005436950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005436949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005436948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005436947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005436946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005436945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005436944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005436943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.423{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005436942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.411{4DF467A6-FDF8-6138-5CD4-00000000F001}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005436941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:24.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:24.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:24.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:24.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:24.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:24.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005436935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.408{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005436934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:24.408{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5455C2D14E8F5395FA54ACEB2333BE35,SHA256=DDAC97AAF20A7A59F3172E16381EEE91A26B21B2DF885A720401C740D64CE318falsetrue 23542300x80000000000000001536220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:25.775{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C44295B82C2BEEEB391FB090DB9278,SHA256=A35C9DE7D382E21B11AA7C994D3DA807C98AE215A57C5DCB40FB4782EE1FFE7F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DDD91D6EF45883E887645B3A21C6F3,SHA256=90CD69579744EBF43AEA5D4178F1E8E08917F20E738A03EE5034837D8597826Afalsetrue 534500x80000000000000005437055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.173{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005437054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.173{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005437053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.173{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.173{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005437051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55D2461D5A898C64D5BB303F7FD9D4C,SHA256=35789F8F5EB7F5D2E93BFD61F5907769DF34795FB8732349FAB769450693FDE0falsetrue 734700x80000000000000005437049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.064{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.064{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.064{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005437045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005437043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005437032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005437019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005437015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005437011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005437006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.048{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:25.034{4DF467A6-FDF9-6138-5DD4-00000000F001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005437003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:25.033{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:25.033{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:25.033{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:25.033{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005436999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:16:25.033{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005436998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:16:25.033{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:26.777{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C559716FC0A9A87096BCA4EB2C2E5BCA,SHA256=8B0306E17A81668C2E1E41CB522597DB2C10B93D645F3E89FAE7AC6791EC8B36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:26.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:26.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93F86C73A21DBA42B13A42AE8DAC59C,SHA256=2F64B5C20EF68224CD515C734231B0B064E41049F7B49D6487EA50B44C59ECD4falsetrue 23542300x80000000000000001536222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:26.144{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8B7F92E7BECDA1B67C3E13C2D9669B,SHA256=DD8D9BA720131C6BD046F15D26B3B7C9D1578BA23E82102F6A1F44BF3676A27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:26.144{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4940C1D12F307BC1897B8A4933A572B7,SHA256=5923BC5C06BA8A39F25FE2004E74B64B038A07535299D2CB5FAB498A0D37CFB7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:26.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:26.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=543BF4D272461B44F1934ABCEAF84108,SHA256=E2832CF689333AF50340F769ABF8BE93021FF448B0327DD9E10807C659CEF94Cfalsetrue 354300x80000000000000005437058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:11.757{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63443-false10.0.1.12-8000- 23542300x80000000000000001536225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:27.779{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0420404058D1F9EC5E899689F5CD118B,SHA256=53EC2EA5676649F7EFAA6BF9BB1CB73D65C6CA3F8E7E7AA2951114C79CD0C7E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:27.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:27.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11B12AE378F01552E21AA640C17E7361,SHA256=459B5F068A7586FFE10A166D98499CB5D9B048C4BF52DF3005C6AD2D3AAB185Efalsetrue 11241100x80000000000000005437066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:27.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:27.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDE2E91A849639F49E1FD02202D29145,SHA256=355BEC2A396788E3D7EB2EEAB88C428EA642F685B6F02D543F169288EEFF3A11falsetrue 11241100x80000000000000005437064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:27.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:27.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CC2241891A548EF274EA8DED7587F9,SHA256=A34385922D0751CA9065B9395C1539BAA5D0EA3B6E1116AB62B9AAB4F8FB6790falsetrue 354300x80000000000000001536224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:19.766{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60680-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.998{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D45310E415D319F5D2B2284F2D5FB2F,SHA256=0C9CF0D7EF3623CF418F24D75C78036FB524759E17AACA18EA6F1D8F146C24A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:28.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:28.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=591DCEE98D5AEEAE3F9EDE138FED2B89,SHA256=D0895F3E5AB841C81FB4E228C082D46E6B67943FA0C969BB1E704EE39E32B77Cfalsetrue 11241100x80000000000000005437072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:28.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:28.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2028F80904079248D72C4A0129F9D6C,SHA256=DC039F9AA1A4413BB53557F30F257A30D11352D2A025619E93414A10ECBBE469falsetrue 10341000x80000000000000001536257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:28.650{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005437070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:28.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:28.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C6B31560D4DC2EF08E3BE5EE298260,SHA256=501C28A801CE53293ABAA4D4FCC26E38637CFAFB604543CFCD9C54C99B23D630falsetrue 13241300x80000000000000005437090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005437089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005437088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005437087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005437086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005437085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005437084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005437083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005437082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005437081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005437080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005437079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005437078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005437077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:29.730{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000005437076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:29.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:29.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136781242E274C039277809CA5BD01FC,SHA256=E25ADF7601E87C5A7B7D56691D1418EFA826EB8758ECA924016C315AC0460BA0falsetrue 11241100x80000000000000005437096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:30.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:30.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756C5CFDCE391FAA11634DE11C3DD439,SHA256=EADF8899A857F17A290162AF2D1ECE8856C872E0646353EF12EE94B6CB8C66E4falsetrue 23542300x80000000000000001536259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:30.103{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF3AA73B644CAD6D18306BB6A6DFB47,SHA256=7206C5845498B897D0B3A12BAB70B2465CFF999F53524F55FDEF5FA59913CD7D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:30.293{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:30.293{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B50596E73D4C139ADC26F50864845168,SHA256=372BF1769BE1E846C333E0D13271A95DD3A5B7BB3EB8E62F0A05706172BA2C50falsetrue 11241100x80000000000000005437092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:30.277{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005437091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:30.277{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A61EA887F07B397AD1611479B4D618CD,SHA256=99BF9DEEB810EBC30979F9766BCE3A4258A836D0FCE0984E3B5C76B023F7B17Afalsetrue 11241100x80000000000000005437099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:31.621{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:31.621{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601EFA39707C89E83C7AF6E1F059EED2,SHA256=ED389599259486B6034C4706D0D738C219DCD9140C36C49AFB0AB124FD130BAFfalsetrue 23542300x80000000000000001536263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:31.257{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F548FADDB19F206AB0451A533F81E6D1,SHA256=C563D3140EB99FA05D37641C39B2934853E49CCB2D19206DCFB8BD3F21825641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:31.257{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8B7F92E7BECDA1B67C3E13C2D9669B,SHA256=DD8D9BA720131C6BD046F15D26B3B7C9D1578BA23E82102F6A1F44BF3676A27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:31.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915E387FCE7C4D6A8A6806BF2525D7F7,SHA256=592CB9A4ABD3E7AE9074D136BE9BFDC7AC119186FD754CBBF13A3DE435874B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:16.907{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63444-false10.0.1.12-8000- 23542300x80000000000000001536260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:31.105{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=46DB0D56673B58C4BD45FAD8C6AC2EE0,SHA256=8FD832DAAE96B0942209AB9B5A84EF7057A63FCEFD65E4F5338133A8922BCD92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:32.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:32.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=788656F5BA70022D8E4EAC82EDE68A2E,SHA256=92811D5788EDA4B119BFEFDCD9851C1DABA6F3731030435981B113281B911055falsetrue 11241100x80000000000000005437103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:32.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:32.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7EFDAB816965884195F414AC67D0355F,SHA256=6E3E05A4C380AE8CDB062852B6D7D9098701DB7EAAC26C1E47C00072CE6A72A9falsetrue 11241100x80000000000000005437101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:32.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:32.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAF6201C801C4FB57E25FC3ADF3D961,SHA256=D6EEF4F23E0392E768D28C96704C1F49B8615048A7ABDEE1C2C5536890249B9Dfalsetrue 10341000x80000000000000001536274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.545{AEE49BD1-FE00-6138-53CE-00000000F101}58882176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.414{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE00-6138-53CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.414{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.414{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.414{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.414{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.414{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FE00-6138-53CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.414{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE00-6138-53CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.408{AEE49BD1-FE00-6138-53CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001536265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:24.894{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60681-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:32.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1758508631300985AE58777899FF94,SHA256=AFE7CA352F7A7CC25F80D3F0649B4FAF3121AA94BC81A0D1CD6C8E45A0CA15F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:33.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:33.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=04DA9AA2C18EF8F3E1C9F2A6A0953CD6,SHA256=5FD2B2D846D22E4AC456A0DA64F2F3CC39475975468C5BA9A28CCBA734A34FE0falsetrue 11241100x80000000000000005437107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:33.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:33.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B80E5FD9791C3218750EA57AE4FE6D4,SHA256=BD40100FF50C9F522BD91B42B4D68B65E3B8C2B106E19139810BCB0FC543C783falsetrue 10341000x80000000000000001536294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.913{AEE49BD1-FE01-6138-55CE-00000000F101}58804632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.778{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE01-6138-55CE-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.778{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.778{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.778{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.778{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.778{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FE01-6138-55CE-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.778{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE01-6138-55CE-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.763{AEE49BD1-FE01-6138-55CE-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F548FADDB19F206AB0451A533F81E6D1,SHA256=C563D3140EB99FA05D37641C39B2934853E49CCB2D19206DCFB8BD3F21825641,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.215{AEE49BD1-FE01-6138-54CE-00000000F101}5268644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.130{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC069B3133BD0E88505AE1427935D95,SHA256=B9D04B6B6A8E8261332C48517F52045A7CF7005849D5374184FB8D38A149875D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.093{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE01-6138-54CE-00000000F101}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.093{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.093{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.093{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.093{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.093{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FE01-6138-54CE-00000000F101}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.093{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE01-6138-54CE-00000000F101}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:33.078{AEE49BD1-FE01-6138-54CE-00000000F101}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005437111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:34.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:34.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5B32C6F116C656543D59A9E5BA17A2,SHA256=E97474B4CCC0F2C68F37E00733CFB7F133CA44065AD3B5DF20FF883DAA26002Cfalsetrue 23542300x80000000000000001536297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:34.780{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=718D78482874AD2D34FE5BC5679FA50F,SHA256=AB3A8008A5CA2BCB1B2BB3EAA831FDAE4A1979CBDB177433522DA68B0E634296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:34.666{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7174MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:34.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96AC94E4B5033C13191F62C5009ADF9,SHA256=FC9461BACE04637C1C3D558729E1AC9623D148385DA0AFC8733E52BD604087A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:35.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:35.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9518E2B23BFED64EB66103999B6C2E9D,SHA256=15ED61B5348FEF496A030EC429B20E722B41D5DE875D7F59B476BDDEAB633C6Dfalsetrue 23542300x80000000000000001536299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:35.666{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7175MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:35.165{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B46A770ADA12258B5BFEB9ACDDC0937,SHA256=3723A73DF2BFCAC82FC3F1781E49590D64CA68A1B1DE4B308C560BF770011470,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:36.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:36.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC007E856F52637FD885EDC28FDA5EE3,SHA256=166C02C798542BD130A78242260213B11C17B81674A2890C1237A6C1920DE817falsetrue 23542300x80000000000000001536300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:36.169{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC4DFAA082604E07C3235885BC999F6,SHA256=9CD7AA448DF3F4BD32EA9D4CAF73E8BCDA7CDC1CF25446FE7F016FD16FED5DDE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:36.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:36.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D0C946CE285F0B109386DCD7B3BF9A2,SHA256=AE696CEB2D4D31E64B60DD806C2E98468CFC85A68C395FCBFD6553CE4EEF2021falsetrue 11241100x80000000000000005437115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:36.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:36.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98CA2627AF4AC08D82FDF438F5E9DF74,SHA256=D2C802AF097AB5BECE8226C59212FB5BA1832C34217BC22E7928020107EEA772falsetrue 354300x80000000000000001536303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:30.872{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60682-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:37.402{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=135756FB4B5FF4A9809646D86FA0789F,SHA256=DE4FD1C170334BC90B6AAA650AA237B50F24F3A1CDF20139C3EE3D4E6904B6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:37.170{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7674AC9772B557DFB031A8B37E0205,SHA256=5DF1FFC677206C3E492B1E56E6512B53883A61858FD14D7DC3C33759B3734F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:22.813{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63445-false10.0.1.12-8000- 23542300x80000000000000001536304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:38.204{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC54937A148153EE8DD300C529446C7B,SHA256=98767B01D6EED4393ECB1AECC924D6950802C2FD97A5808875C758314219F3BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.730{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.730{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60989FABA30F0E708D12999774531071,SHA256=471B5A0A6B3DF180F2128D089E93C1B0498DDB1761572690EEB586760C60864Cfalsetrue 11241100x80000000000000005437126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=26BF6E0DC9BEB870C4AC51E23B219C50,SHA256=9D7D1E6625A33130DCAE1AF3FFFBB76DE01FE26DDD1381603FD043B8B9CD9B49falsetrue 11241100x80000000000000005437124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C1CB7632B5DD00FB44EA50EDBA3A470,SHA256=757334FF6637833D188E6433B931DCC9B0F6E490E72F842013151574783A4D88falsetrue 11241100x80000000000000005437122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:38.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086D75DB268A12B1A03B715A11150939,SHA256=6D2909FE29496C6E2FCB91DB59BC8A2B5C57A81161370805A9488E691256A1BAfalsetrue 23542300x80000000000000001536305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:39.226{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2951A4CC1FC60620018E9088737C17,SHA256=7C0713FD92EBB0C55B4043262FE00BD6580A0CE1979F22B0A0750621BCFF3D30,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:39.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:39.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55B22E668E6E3F1F22A50F2DF17A044,SHA256=4EF1AB3F6D7D4861A2AE9B6CF2D28BDFACF8CA6640EF70BAB5CBAE0A8DDD5DAFfalsetrue 23542300x80000000000000001536306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:40.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F79ED731AAB195718E5222B6C4D3F8,SHA256=71C666F559F110B4EBFE300C35D161772AA9EE754B05DEAFDCECD774B5615A13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:40.261{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:40.261{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E7801EB7A765FDB2402325AF260BFA,SHA256=3EBCECE890743E9E17BB220EB8E03418A14935BBF73115CBC9F87710C6B8AABCfalsetrue 23542300x80000000000000001536307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:41.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDCE7B1057D5330220D839327D9842B,SHA256=C32E421B414386F2A934104FA5A6E5E9B3464B7D590821EE16EF06B725EEFFE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:41.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:41.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB55A42A1BFA6FA31DE163347EBF8F6,SHA256=4CF154CC7482CA2FC29BF0CB9052C38BAA0C9EDD4015D9053793357D58BD36A5falsetrue 11241100x80000000000000005437145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=854809AC50B74993F4C8B2D5D0AB91A7,SHA256=84C8E54D56B48FBCA218A8F187927757A2631F4FA6532DED3B313A1C8A5570FCfalsetrue 11241100x80000000000000005437143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92F0744B9834079266EE0DA6A13AC007,SHA256=B1463CC5C05A3DC0CE464C7B774D5099C4258A5747306952966073997C5531B2falsetrue 13241300x80000000000000005437141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:42.793{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a4dd-0xad006cc7) 11241100x80000000000000005437140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471BB5E1D6CBBE54D189C3BB02D3A739,SHA256=D3B9A46240E34A7BD2A812409D4261BD5DA236776B3CED772083CEC97EBA2E5Cfalsetrue 10341000x80000000000000001536316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.883{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE0A-6138-56CE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.883{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.883{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.883{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.883{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.883{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FE0A-6138-56CE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.883{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE0A-6138-56CE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.868{AEE49BD1-FE0A-6138-56CE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:42.282{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78492955203BC402C81A38E52FCDD594,SHA256=EE8C0941236D904FEB6D27F327143F5649080765C8C1987C2BCAAF2020BAE52F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B8E50A16E022264A0750A3C67BE8015,SHA256=34457EB44B2A0E46A797EBC7062A370FF8B125E204EC6DB20D63E5CA3BE44E40falsetrue 11241100x80000000000000005437136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:42.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D0C946CE285F0B109386DCD7B3BF9A2,SHA256=AE696CEB2D4D31E64B60DD806C2E98468CFC85A68C395FCBFD6553CE4EEF2021falsetrue 11241100x80000000000000005437152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:43.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:43.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C7F2C7E8E5C181E8FABF778CD864ABDC,SHA256=E5228241586C39F18BA364FB1F22F959EDC1298D991F0AABAEBBFA25B8666F55falsetrue 11241100x80000000000000005437150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:43.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:43.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B8E50A16E022264A0750A3C67BE8015,SHA256=34457EB44B2A0E46A797EBC7062A370FF8B125E204EC6DB20D63E5CA3BE44E40falsetrue 11241100x80000000000000005437148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:43.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:43.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE2362F31DC6614F8525341918E27E8,SHA256=A4248C7BBA0AC9FA38D67C1977406DC0CBA57E4F4DCC17BBE648494EF983253Afalsetrue 354300x80000000000000001536320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:36.768{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60683-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:43.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C853BF8481EF160532A54AC4D3DB2004,SHA256=B13876DD6F967796471E1CB221DBB340A178BD6D97AAE8C0ECC416D5B488BADD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:28.751{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63446-false10.0.1.12-8000- 23542300x80000000000000001536318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:43.133{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C490388B667D06BF2C86D2F7594C83,SHA256=9C420E9E2799E856B329068F41658927173D427ABBC1F0425990BF7521CA01DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:43.132{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3B35B7D847C1567ED7C4CE241CC2DD9,SHA256=A50E91D7A8219609B10E5784AD667543BB9A5479F6E8347267CC2977DCD5234E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:44.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:44.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04C546307989F50BBC36F3DC8705938,SHA256=7FC80BA7EB6E85B2FDC3784B5D89BFA443B696C6E59414667593F07630EF7293falsetrue 23542300x80000000000000001536321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:44.302{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B71C83D3EF4129615A55A51662810C1,SHA256=C053EBE7257BD90705C89DC8344C876AE8332BD3C11A53BDE967EC9DE8D72402,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:30.422{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-291.attackrange.local123ntpfalse169.254.169.123-123ntp 11241100x80000000000000005437157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:45.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:45.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56C0BD99DE606657DCB7769F2FFDA9C,SHA256=9A78BB7E3CEFBCCC0CBDA5C0C5905490E3E75D008667AA6505DF34BD6F65C366falsetrue 23542300x80000000000000001536322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:45.304{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D1E41E5F6568C58607D2E6036D394E,SHA256=B77831F57D1339C53BBB58AE7514375F4E4ACC1B19B32CE57A7E347F49A4642A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:46.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:46.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD9C4F698D88D3912F25B6474C0622D,SHA256=072D8F4EDCA997E9BE9BE749B093D860578DD65AF3955C5F3EDBB01665FFFD8Afalsetrue 23542300x80000000000000001536323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:46.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E70E0354BC13738FA66FAAF8E7DD2C,SHA256=74D3F0781E982DAD39DEE4DAEDFA1F0D5061783F9EDA0DE1963C5025E505FF42,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7367B7DA46C73AB054CD9BCF909EB791,SHA256=D3A552470C7CC7BA848EA30F4DB5AFAABD975C9219A931253EB2DC4C11253DA6falsetrue 11241100x80000000000000005437165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=396F63A5A91AACD4E3F8AD4B84D79EC7,SHA256=2CCDE32E2A2BD449EE65810B3D1A3693CE9BDDF83C9101F98B7C91B7D32BD56Dfalsetrue 11241100x80000000000000005437163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.729{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005437162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.729{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005437161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:47.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776398BC076DF487F370CF6A6A692905,SHA256=9079403A62883C2106026866EB0D2207C53BD7844BC31201DEEBB9F83C2E8100falsetrue 23542300x80000000000000001536324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:47.309{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D055B4C7AE6714E1754BD460E0FB8D,SHA256=41CF485CBCF73A1511E1DEB7DCB8A37B59BD0E6ECF094B97E8E4D24756F464E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:48.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:48.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9ECCB88F7E947DD8F0BE57A775C8E1B4,SHA256=2C642FC8C1EBF2677C9FA20A75997A06ED39400DAE171167F8FA53E22D8F51F0falsetrue 11241100x80000000000000005437171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:48.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:48.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F101BCBB934557BB62FC98978EA854,SHA256=37BD20237B1D26C0640C3BED03E63C0DEBCB337116A348E8826D8FAC77AF1DDEfalsetrue 354300x80000000000000001536328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:41.848{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60684-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:48.312{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A4C5F7663DCF662B82F832F00CD609,SHA256=0003DA78F05398E811FC00F1CCD7B967FFAB0E3D7D9F0428D2C22E20F04BE5E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:48.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:48.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=267551E0F8D563A7912A47BFE81312FE,SHA256=83853F2DE01458D1C2FFE0DE576F5AE9DBB26A22EBD0B7AAC96D7A96561DE63Efalsetrue 23542300x80000000000000001536326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:48.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69FB503F3B8008C5532870FE70B8784E,SHA256=5F4E9D9B55D1915C50C20DB8F18A6C728D2A4983D0A31889C4EEDAC1078AEC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:48.247{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C490388B667D06BF2C86D2F7594C83,SHA256=9C420E9E2799E856B329068F41658927173D427ABBC1F0425990BF7521CA01DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:49.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:49.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3762EB8F5D64A1F2E150496816D70571,SHA256=93050489516586FF31E332D40E40222E043A5F068AD9C90B84BC8A4D4889AB4Efalsetrue 23542300x80000000000000001536329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:49.330{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DD61EE0CBC0C948FB1D8488213C43B,SHA256=B0EC75751468923224A831093371271C4C097280CD8238B2B47C3E21A680548F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:35.359{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63448-false10.0.1.12-8089- 354300x80000000000000005437186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:34.749{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63447-false10.0.1.12-8000- 13241300x80000000000000005437185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005437184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a593c26) 12241200x80000000000000005437183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005437182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d5-0x4e7e26b9) 13241300x80000000000000005437181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dd-0xb0428eb9) 13241300x80000000000000005437180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e6-0x1206f6b9) 13241300x80000000000000005437179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005437178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a593c26) 12241200x80000000000000005437177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005437176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d5-0x4e7e26b9) 13241300x80000000000000005437175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dd-0xb0428eb9) 13241300x80000000000000005437174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:16:49.369{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e6-0x1206f6b9) 11241100x80000000000000005437191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:50.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:50.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5749DDD52976B854A8F8C61B338E522,SHA256=E6F1234E1CA0130C7658B836666695E7369F0BA0A47C1ACA2EF2BA2A6C373BCEfalsetrue 23542300x80000000000000001536330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:50.331{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33E1535507E4BD4C05A6642F35EF3A4,SHA256=3BD6001C658A1F9FAAB3AD7866F2B99B32B437D4776FDD3A61EC3C5E2D3E3A0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:51.682{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:51.682{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5624A4C66218F74815E9857C7EDE6CBF,SHA256=4F4340D408DCBA05D100A933B8452C8BB49C4ED3C6B0BE4467627C85525F336Ffalsetrue 23542300x80000000000000001536331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:51.334{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DF02232358E646C1B2CABA9D832179,SHA256=7179123C6A5F892B96A608FCA65E0A467CAC449F91C844173B935A386AEC686B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:52.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:52.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1CA8E22ABB59B3BD85F646651224DDD7,SHA256=43975CEB576F31180A435BB3302E9D754504F822C68DCD3324E8560A92EAA8A2falsetrue 11241100x80000000000000005437195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:52.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:52.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8E1980A95E066D6DDE2D9680460735,SHA256=324555DCA6BC8ED28A20B3BD5508BD2A9E3EC9AB87B307EBD74951AD86EB7EBAfalsetrue 23542300x80000000000000001536332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:52.337{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2859268A27CE083BF7E294E16220E878,SHA256=986ADC12AD3A5648AC3BF22DF688CF805B0343B638A9D8B5A40162BA18567429,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:53.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:53.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=52E1501DFE4C02895218AD51F8CF8F31,SHA256=F30D164F982F6D04D410CC05332E27776FE64B8F062265E5C75834B59CFF2CB8falsetrue 11241100x80000000000000005437201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:53.760{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:53.760{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0A798DA51C1D4C557A448B10B7E25C,SHA256=CC3F628BEDE4DC13BF53CB6251BB80004E54F8F3CC37786E334BF8B8C77F660Cfalsetrue 23542300x80000000000000001536333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:53.339{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B58D2F94C7163FD7B4A9708947F1CD9,SHA256=41BF54A71561FF6F5F2577C65EC7D4954237482A5F964A303B065DF47B328784,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:53.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:53.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83FF4D7CBCFA8545B34997671B5A1F4D,SHA256=E30245C8D2B9E7203F14F478F6C4F336492428CA4FF4AB583951EE16CC77EEFBfalsetrue 11241100x80000000000000005437210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:54.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:54.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A47AF5825143B68E03DCD7BADE7D250,SHA256=034CCA221E8CA22FD2BFD2954B664361382818158CB2EE842ED62B198AC70A83falsetrue 354300x80000000000000001536337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:47.832{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60685-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:54.341{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EE7D8630F34BEC3EBEDD49856986780,SHA256=D012B5C0C571F3329E14B402F0AC7B4F025D13AF9E8F6E8BB677BFA5E5E7D24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:54.341{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B86EF973C20E74B37E41ADE1C49EB48,SHA256=E3BF3A6A310A5BDEA1129088B53DB5347E95C6B6746F27A46CBDFC479D35B479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:54.341{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69FB503F3B8008C5532870FE70B8784E,SHA256=5F4E9D9B55D1915C50C20DB8F18A6C728D2A4983D0A31889C4EEDAC1078AEC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:40.780{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63449-false10.0.1.12-8000- 11241100x80000000000000005437207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:54.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:54.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFC97577E1AFF4C7B420EAA0FBEF6A03,SHA256=253AAA47E8DF1FA4CC8D96D66A671F10D09FCA2F54428C722BE186EA7B80C782falsetrue 11241100x80000000000000005437205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:54.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:54.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD0A244BE6307EF73FF2DD0AA8F9D658,SHA256=AAAEF6FC46F80C5C05B71BA79D9EB55D4B6BBD9C8B04321EEBCB0845BC31194Ffalsetrue 11241100x80000000000000005437212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:55.791{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:55.791{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4795783AEAEF2C28A88D4E1470430B5A,SHA256=3C4F711EA3849043BD3152D3895EAD4E9B402130A42B9C204F21FE36EA50A201falsetrue 23542300x80000000000000001536338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:55.344{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A22D6A5E020C54F7E802D73AE1BD84,SHA256=B0CCAC67BA295B75021238CC0A1998AA04E27E9EB172766670EF317643972C88,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:56.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:56.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260ADE886523A763755F8410F7BA19B7,SHA256=1D7671C3D280502F56A96D78E44C6EA22CC87FD612A99BDC0E0814152E529EC1falsetrue 23542300x80000000000000001536339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:56.346{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885347C20A4422E49D13BBDCC2585A02,SHA256=C5ECDB014944245F4B6DA2A356E8E86C6994BFC4BDBA65B81AEC67A37CE3D3A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:57.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:57.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45CD429376D9E899F322FA508A6EF33,SHA256=ECDCA65FFFA2FF08EB848A7477157FCC533E663811658F71E5DA19C824B1CBDCfalsetrue 23542300x80000000000000001536340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:57.349{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFC8E1D4E5A30733890D100AE295749,SHA256=BBD6A12C39B34534693C431F936359E03D44FB382C174BC253F8582166077852,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=40BE19F8F1CF2E8027904FD0B5C0C844,SHA256=18CF1EAD2C8C70245EE8CE2A45A048825D63A477E5081F3A6A2136ED57FE2B07falsetrue 11241100x80000000000000005437222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E994A90477453EA1BDF03740911E5015,SHA256=994BE952A858321F5EFCCCA731545D07D48B2D577F25A7F0BCDF0B1346A7EEEEfalsetrue 23542300x80000000000000001536341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:58.351{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0C35FDC56ACC42AD3300696654052B,SHA256=F6718DB6599032A20CA75D6C9072B5060776AC7B91CDD9055E820A5A9DEEF0CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AD9AC555AF13B43BC3AD98B08E128BAA,SHA256=314E816630E528A30655AA02F59E12B23BE88CEC7D5912046595EB3DCD92CEF5falsetrue 11241100x80000000000000005437218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:58.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B05FC98B94086145BF9B7098BCCB7765,SHA256=986BE614FC9629C6E4D3FC622272ADE24FFD967EA801C41032D80EAC4A3836E6falsetrue 11241100x80000000000000005437229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:59.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:59.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ED3ED3FA6D92DD47D08B722E75ADBB,SHA256=7E09C382A0EC2AD05B891DBC9A638579E25AA614A75510180B8599819ED64F2Afalsetrue 23542300x80000000000000001536342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:59.354{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EE3816AFF71CB62B9350F527D63E43,SHA256=4201E03C869BFF4786F1FD8B3F5ECC20E4BAC17C59309417332F4079714ED380,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:45.796{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63450-false10.0.1.12-8000- 11241100x80000000000000005437226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:59.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:59.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFC97577E1AFF4C7B420EAA0FBEF6A03,SHA256=253AAA47E8DF1FA4CC8D96D66A671F10D09FCA2F54428C722BE186EA7B80C782falsetrue 11241100x80000000000000005437231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:00.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:00.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B7904D596AD5115EB10E70A426DC4B,SHA256=4AA671D6BC21CF15C02966695C2FAE8F4C84B8723AED4A48B36619D550311468falsetrue 354300x80000000000000001536346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:53.677{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60686-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:00.356{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475CFCD82C98981276DFBA2F13E96A75,SHA256=58CB93C2E2977C62AB36B42A5856B0D455AA614524E7ED38CEF5C81994DBA152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:00.024{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0505ACF2A71CFC0F93AFA87F3D9844B3,SHA256=BE1E1A8D9F38ED984AF6F1A8A2C3D4F33CB71C0653BFAD1D68B0EDCAA75115C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:00.024{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EE7D8630F34BEC3EBEDD49856986780,SHA256=D012B5C0C571F3329E14B402F0AC7B4F025D13AF9E8F6E8BB677BFA5E5E7D24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:01.358{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB64997B1672D4882C19BA304014363,SHA256=E4BA9B9E5B8CB38965233513B707049CD60B76FB464845A71CA507B05F49ACA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:02.360{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C177F26FEB26587C8F8759602A6F48,SHA256=56A612D969FCDA4A9973090472F013D6EE6619DC522BE1572716134F1D22CA52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:02.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:02.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E520917F880EA4B70F2B58720CE6EE9C,SHA256=648D65C44ECAA3821B94A1B7677C61695F2EEF2D7CFF093731B04A184BFB80ECfalsetrue 11241100x80000000000000005437243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8629523B6F28DD642C4258985A8FE99D,SHA256=B6FACC98FE537F0DBBE5149D0A4635C952CED20BD13FFE8A8509D6ADBFCD1CD4falsetrue 11241100x80000000000000005437241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=16D750E739E65BC2B998D7E58035D97D,SHA256=E4F1B14FA5D9DEA792A6026E3782C0CFD9A4B182B3841644EE00BA88F02C2F94falsetrue 11241100x80000000000000005437239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2328ABFFFD7A86BD8FEADC7A2FD319B6,SHA256=F0853687B9A916EE056D4054AD0C578CE7F211E6E9F556C9763D593DBBF45499falsetrue 11241100x80000000000000005437237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005437236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE66EC0131C5B91FE3B9F61E428FFBA,SHA256=1D41D9614566E298E47AD1112CCC580E79EC5058FACC83ACC0C5D5B228AB3F21falsetrue 23542300x80000000000000005437234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:03.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFEB2C32790F12A9DC16363C41E08C99,SHA256=93A98220875B20A708926CC8AE390BC3A5533B4B2EA31B1878D8F3B625418DECfalsetrue 23542300x80000000000000001536349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:03.363{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A68A8A69D865C3E6E781ECD543E192C,SHA256=F2ADC1A3A12C2D896D13AC2C958321E63BCF1D9B5353DC0BE2BE37D89E803847,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:04.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:04.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331752EE0C1494888126025211E56C06,SHA256=5DB40D0478F0F28E260CD778A18C4E21F70E9963588624CC5828D4CFD44A4A1Dfalsetrue 11241100x80000000000000005437245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:04.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:04.291{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C52C9F4BED15F7FB5CA40E5881CFF037,SHA256=0744E1E78CF3424982DEA48A102A62FBCD84DA4DEC3ED47E05006ABB87B79E42falsetrue 23542300x80000000000000001536350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:04.366{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35839CB94DBAB6E68C96EEA78F6488E,SHA256=F5614E13F7E3C3027FEF5CFFD8B94CD7F4429DFC6572251845FB58D1A0C6FE19,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:05.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:05.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD11E55D00C253D033F7C979095E079,SHA256=0EB2026889286B5137876361EA509F846F0CD45F0192C2F2B667ABB446F47BB0falsetrue 354300x80000000000000001536355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:16:58.889{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60687-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:05.805{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4CC736F4C9624862C9B378F1474BD107,SHA256=15B9134AABF488BE4D732AD0149F72D21F5819D5D9F8EE7DD2861E18359D043F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:05.367{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1FCB21A1A75C17E9707C72A405D185,SHA256=BFFF294C53545C3C400C602AB1E402E6CA9B6826B1C41298DB3810363A32D1B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:50.889{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63451-false10.0.1.12-8000- 23542300x80000000000000001536352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:05.236{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1B22E8FEAE34C5D513B759BBBF8760,SHA256=FCE4058E5A29A40B0C3821D0C22CD992A3A961E2642CD208E0BE205BE432D899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:05.236{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0505ACF2A71CFC0F93AFA87F3D9844B3,SHA256=BE1E1A8D9F38ED984AF6F1A8A2C3D4F33CB71C0653BFAD1D68B0EDCAA75115C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:06.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:06.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6556A0060905836FF2403BF7C22012F4,SHA256=42A2D4657FDB7E1AAF154C999FD68DFB98E443BE39DA95528CC73205A6A9F73Cfalsetrue 23542300x80000000000000001536356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:06.369{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F585B8F2AC0E36BA0C9A0559D962F614,SHA256=E561B1881F14482B0873B9814C69B4EFAAB6CC8405A6D60263715932101090F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:07.371{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3B6C8CD52FC1A91DE0F9BED5EFC8D0,SHA256=EA9B34F2A93F1F38ACA13867AAB7FF498FF54296A745E44EE47BB85B26AEC43C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:07.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:07.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627B5D1B4EC8C58C43F05A3CFB5F2CBE,SHA256=8772A87C30FE1187095F6B52BD0A08D1CA187FB4F3C14438C5E8B0552A9EB162falsetrue 11241100x80000000000000005437262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.512{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.512{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EACA3163BD7AC116E1C5C8DB50636472,SHA256=C65F31A6879F70A5508FA5CC568656C4B6D4448C4827612564EB425AA37AABAAfalsetrue 23542300x80000000000000001536358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:08.373{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27724AEFDAC842AA20E36E772E2D1D3C,SHA256=3B47F57CFF1D114048E7E2544E02B3F5211EBDD38F1C67CAD0E1D103EE577F75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85BCED3C5B46AA7DC5F0A2F88CD3AC5C,SHA256=44958D5CA1DE898769E9E665B8822D5845A52A51F5E5728DE77A8B3486391DE1falsetrue 11241100x80000000000000005437258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D57E900A81A9F0FEE4F47DAAB535CAA9,SHA256=1DED4D7F46EB686AD51850766F46B0F990C0848FCDEBCCE6A61B5484F5B0586Bfalsetrue 11241100x80000000000000005437256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:08.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92DD658B205F7036BA0A2F9A62A29B16,SHA256=CB9CB21909912BF7E759AC93F74CCB0992901DF0E72A765C36040977393202D2falsetrue 11241100x80000000000000005437266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:09.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:09.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26694ADB59A6204326B5070C41281A41,SHA256=1473393380B6737E0CE5F337E19E4D6C780B68BA4BC28D5C2BDDF3070D5A9A9Ffalsetrue 23542300x80000000000000001536359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:09.375{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D8D0FB08C3AA4541A6C0A129DC778B,SHA256=581B24218D6F1C0B80EE66DE7E1D23B5EB970E99668F0730834F430208B56D61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:09.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:09.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=001A3CF4EA65F0437F8FC98C782471D4,SHA256=5AA719ED5218BB98EF33FCBA83F563B8C37FD7F1D89534D14D0BE06BC1CCEE33falsetrue 11241100x80000000000000005437272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:10.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:10.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB57C1C28AD25D85F2D744D14FC09FD3,SHA256=897B6497797C7B218EEDD207158A9279F724377A17FA59E69C82DFFD0B0E539Efalsetrue 23542300x80000000000000001536362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:10.396{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA452732FB4B5CB7CDBD9415C7C8C6D0,SHA256=9E401AE020591319701B4697792D3C96A4C4B76C29387B36B74557D7CB6E451C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005437270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:17:10.262{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005437269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:17:10.262{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005437268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:10.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:10.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67A0965D42436EF684E1DA6B54C5C47A,SHA256=5AA63A4ED0E162CF7812D91927D545CB83CC58DE69337E11F47BC24756C59E7Cfalsetrue 23542300x80000000000000001536361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:10.331{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=320277B8EED2647C4D3BF0EC091673BF,SHA256=94E4A429115F96F743823638D0D3E7745D0A48F410B98482C64A594287928E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:10.331{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1B22E8FEAE34C5D513B759BBBF8760,SHA256=FCE4058E5A29A40B0C3821D0C22CD992A3A961E2642CD208E0BE205BE432D899,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:11.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:11.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50686B56A2E3E39135CEE425026CE0A,SHA256=0CACD3CB076BC1B12850B67696AFDE42A4BD753904CB48E46186E77D47B9D226falsetrue 23542300x80000000000000001536364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:11.418{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5E79F4224461B0A92B75EEE723DCF7,SHA256=94B8483388565FF6FC8FB253001605949A60EC587F034B37E05C5FE953DFF892,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:11.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:11.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6642FE02C0111CF664B8AEFCB5EB80A8,SHA256=01E4F5687FED704E3979C598C597C01FEC780FCE27EF98066D324B54C67FBA71falsetrue 354300x80000000000000001536363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:03.899{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60688-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005437281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:12.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:12.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241FB4550712F5A2788E6AEC57F07567,SHA256=6EEFC0DF924F80B28A2258484A46D9C7D6233BA9A24B9A081E2C941595F7AA55falsetrue 23542300x80000000000000001536365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:12.421{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C563691466789F918CC47AD6C4269A6,SHA256=41AC8A29B75264F45465C0190052F51C6273E7EEA7FFAF2861E8F2A2DA604173,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:57.907{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63453-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005437278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:57.907{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63453-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005437277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:16:56.829{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63452-false10.0.1.12-8000- 11241100x80000000000000005437287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:13.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:13.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AB9FCF17DBBEE5A21FB7B3674013CD,SHA256=A0D9D4E0331B70030FD5C2F3AF3C9A69BF37B8F22B08288B74684EAC65565A66falsetrue 11241100x80000000000000005437285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:13.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:13.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=971CA0F8C87C9AD7597D2F6F4B724202,SHA256=FBA13B80E26F98BAC65AB199FA229DDDDCCF9C88235025058C796483157551BEfalsetrue 11241100x80000000000000005437283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:13.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:13.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D8D61022E6CCB3E53208B2BDCACC73C7,SHA256=9BE796F85133719A04FBE43D8B3BA6505639106B90199923D0D746F13D748EF0falsetrue 23542300x80000000000000001536367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:13.423{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25C4B3C9983248A7CA9B6801266A572,SHA256=2E59CEDA33BE84F8B6145D4D513CFFD3C3376E538295B479D767F9D0F9F6DA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:13.085{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:14.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:14.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667D68412D2237B998A920ED08D794D2,SHA256=66F8775B17666311555E05AD9854C9752756A862DADA087D9A9A19C1BE2F7E53falsetrue 23542300x80000000000000001536369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:14.441{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F6BD8F3C85B3A3F9075C37FCE0D91B,SHA256=5A49EABD9374543AED58E3FBF8C73F13A8326CBC7275754B1800F48B6B6641AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:14.152{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:14.152{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8571574BC5D26FD55322256137CB91E7,SHA256=74B79D39A0C6FED6900363AD86AF69A35114956148A145FC10D90A19BEF92645falsetrue 23542300x80000000000000001536368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:14.305{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=320277B8EED2647C4D3BF0EC091673BF,SHA256=94E4A429115F96F743823638D0D3E7745D0A48F410B98482C64A594287928E74,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:15.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:15.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B7018DCF0396AD7AB7AED9C0089F4E,SHA256=BE0390115CF2A20F17E70C20467915A7AE39D96546727856A8402A12433D7F98falsetrue 23542300x80000000000000001536371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:15.445{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70002204A773C692E6AD01A13911A12B,SHA256=F8BD5E4A7CA1B3EEDAE1A84FE51DB7EA384A17EE66C72A82D2BE639382517B3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:07.741{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60689-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000005437297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:16.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:16.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C5EB0CC46AC8C302CB6D6DA1841CFC,SHA256=8F08AF6FF7709E13E3AF0EBF8B4650738FFA8BB655AAA0F5D6159852D2411646falsetrue 23542300x80000000000000001536373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:16.494{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12600A2A150ADD97CCE7763955A0C2A,SHA256=AB8052D6CDC10934E821C8353C53CC8E4610966F45F494D5BA88E0757BDFA63F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:16.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:16.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371C8158BCADC26F4FF719D0E8D437A0,SHA256=140FAC35670E82B196C73FA5B02AF8CB8A846BAF2470DF0A142C5E8275101A9Dfalsetrue 23542300x80000000000000001536372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:16.062{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BED6DC9189425519D53A5679F9047DA,SHA256=AD0BD04B7D9AF9695458B91462744B1DF83A05A579B496603D95A98D1F643626,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:17.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:17.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C98655E40DCA03EC89C7BA35B30D21B,SHA256=DAA495DD7E29AC030E36E6C6C6FDC7216278642D4EF3C6D182D1895EAECF45B8falsetrue 10341000x80000000000000001536392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.749{AEE49BD1-FE2D-6138-58CE-00000000F101}41205476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.618{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE2D-6138-58CE-00000000F101}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.618{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.618{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.618{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.618{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.618{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FE2D-6138-58CE-00000000F101}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.618{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE2D-6138-58CE-00000000F101}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.613{AEE49BD1-FE2D-6138-58CE-00000000F101}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.518{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012830FF76BBCDEFFD48FD8CFCFD0F16,SHA256=639747C654EF9DFED16E6FC57A903908FA72A709F033FEB6C230B100DAD0496E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:02.797{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63454-false10.0.1.12-8000- 354300x80000000000000001536382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:09.698{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60690-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001536381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.017{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE2D-6138-57CE-00000000F101}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.017{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.017{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.017{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.017{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.017{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FE2D-6138-57CE-00000000F101}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.017{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE2D-6138-57CE-00000000F101}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:17.011{AEE49BD1-FE2D-6138-57CE-00000000F101}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000005437305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:18.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97243C72C38803ED227C8CF3C76CB7E8,SHA256=290C483D1E9F4C8302F3AB8743BF500AAC4BDA93DC3A82585175AB6C756BACA5falsetrue 23542300x80000000000000001536402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.535{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29ACB75B0E5752F6D2838C62DA76F4BB,SHA256=900292847E71E783E0661E360C43D5C5A3B356E8BBEF5C1A9763B73242320DE1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:18.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:18.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB47878D07915049D287D6368FAF53C9,SHA256=2ADE5D905E6CE5799E41CD6B8B8425E81229F84CD923713A45D5A3E12211EFBAfalsetrue 11241100x80000000000000005437302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:18.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:18.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=84846AA4EA9EA9CB0B6B5551525EF0D4,SHA256=240F18045A0855B81B85154A9536CBF2203348E40CD8D33A98474A68DCBA9C14falsetrue 10341000x80000000000000001536401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.218{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE2E-6138-59CE-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.218{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.218{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.218{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.218{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.218{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FE2E-6138-59CE-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.218{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE2E-6138-59CE-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.213{AEE49BD1-FE2E-6138-59CE-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:18.016{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4FF78F3DB818E325A460E8E5A2D068,SHA256=D84324F2E303F0871CE9CCD04205B2F2BE899598FF7ACDB4EC77A504A3ACFBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:19.553{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C9FC62B0C817E941D51D3AF0A287F3,SHA256=35E7CB494C7E32EB07F0442310971601B5CC70D6F05774431FF21D0A5151A86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005437311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:19.749{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7184MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005437310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:19.748{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71842021-09-08 18:17:19.747 11241100x80000000000000005437309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:19.747{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71852021-09-08 18:17:19.747 11241100x80000000000000005437308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:19.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:19.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73C2F1BC7C9073265F690F46F393E3A6,SHA256=37DB47C60F777A01D5A92B3A381A40496B302AB291072D9A83B82C592160317Ffalsetrue 11241100x80000000000000005437306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:18.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000001536403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:19.217{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91002C28F6251BF110F24D24E83915F7,SHA256=464E0376C77700DB3F22B58BC8FCEB99597C8E5B44B8339F5755DA485688B8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:20.556{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93180C2DD36FAD12FDD3113681F83B67,SHA256=9E573B990B89242E3151DE77EA6CED43FE167977B3701A22CA59816BEFE720B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005437314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:20.762{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7185MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005437313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:20.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:20.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB7D12575B7556EE1B2A099695811E8,SHA256=CA5652B01FB8C21C5A8569A13CDEC15620DB70575704D2F8546F9D10A7369956falsetrue 354300x80000000000000001536408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:14.826{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60691-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:21.559{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9191915CF9687BC57DF9398AE975C7,SHA256=B10C2CB2EC81049389E6268E9A22402FD3EFB9567FF13210A31BFA820E95CC6E,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005437384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.997{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:21.997{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.997{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:21.997{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.997{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:21.997{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000005437378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:07.798{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63455-false10.0.1.12-8000- 534500x80000000000000005437377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.450{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005437376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.450{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005437375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.450{4DF467A6-FE31-6138-5ED4-00000000F001}13687060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.450{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.450{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005437372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005437368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005437366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005437349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005437348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005437335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005437334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005437329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.325{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.310{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.310{4DF467A6-FE31-6138-5ED4-00000000F001}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005437326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.310{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:21.310{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.310{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:21.310{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:21.310{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:21.310{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005437320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08316E07191719AB322FDF02F362B550,SHA256=2FF6F2BB89F817F95DD08B51EC49D91C713CE617CC18E90BB044BDF3A072FC25falsetrue 11241100x80000000000000005437318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8AA98D52CF4F6AC6C951E480FB0B172,SHA256=2CD75EF7788D6DA9C609DB6160A9E2C7AE67406559AD862F3C7169D757BDF21Cfalsetrue 11241100x80000000000000005437316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A079FA13637ECFCE8B33ADD7D0D655,SHA256=45DA5CF1DA5EB0DED83EFB9D73EACB861BC6F92B6D245EEBE26AE9F05CF0728Cfalsetrue 23542300x80000000000000001536406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:21.174{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B7A3E1A2A3365C873E86BB1BCAC3343,SHA256=7372BA2ADDD92842E41E3A5A15F1CEF62885956628DCCCE908A0CBF3C4BB5A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:22.562{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D2482E9545EFD5686DF09A4A4BCFB1,SHA256=E781ADD910C4CCAC8DEBC2E05201FBEBD306CE8AA4C23629E2682E6B831A4727,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005437496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.825{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005437495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.825{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005437494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.825{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.825{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005437492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005437488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005437486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005437471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005437467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005437456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005437454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.700{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005437449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.685{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.685{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.685{4DF467A6-FE32-6138-60D4-00000000F001}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005437446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:22.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:22.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:22.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:22.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:22.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:22.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005437440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08316E07191719AB322FDF02F362B550,SHA256=2FF6F2BB89F817F95DD08B51EC49D91C713CE617CC18E90BB044BDF3A072FC25falsetrue 534500x80000000000000005437438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.138{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005437437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.138{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005437436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.138{4DF467A6-FE31-6138-5FD4-00000000F001}78087844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.138{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.138{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005437433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574FE0C6B3E4FDFC7387863D7EA72A6D,SHA256=3DF58293921246F5D6EE428DF0786662FE1E481DD88C1244FCDDA56DF473EE2Dfalsetrue 11241100x80000000000000005437431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.091{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.091{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4CBAE59E04D208826DA1621BBF29F0,SHA256=8810D3A30AFBE23B7B4086947C1290C99A5D3F1935C5D92201826D17006DA267falsetrue 734700x80000000000000005437429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.028{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005437425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005437423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005437408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005437406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005437392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005437387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:22.013{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.997{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:21.998{4DF467A6-FE31-6138-5FD4-00000000F001}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:23.580{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D0BD85AD8A6733F41E166BD6094D0D,SHA256=1DE490300460FCF6C3338F6E96A810FD69C0E510725C58105DF7563D74C84CDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1705D0453437F96182405392E3223C4,SHA256=02A31A32C8E330F3AC3893AC5E1892898D18C1E6ED4634184AC7031D181A66F0falsetrue 11241100x80000000000000005437558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6DDA66C35AF6904E14AAC2AD90CDFAA,SHA256=5372A4436298113BDB479612D615BE8E17C611EBD8CFA283ED3748A092D95FCFfalsetrue 11241100x80000000000000005437556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.685{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.685{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47E51CF418D15B9BE0A175E767B88FAB,SHA256=363BCDFA866A0693E5C0D5EDE526801AB59BEB69AFACBF3CE7D95C8E510D2EFDfalsetrue 11241100x80000000000000005437554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B64013EC464F061E3940BB35A333BC,SHA256=D4FB882B5D766336387FF4F491C96ECCA40547870489D14111834D18931E9378falsetrue 534500x80000000000000005437552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.513{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005437551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.513{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005437550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.513{4DF467A6-FE33-6138-61D4-00000000F001}52404148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.513{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.513{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005437547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005437543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005437541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005437525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005437524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005437510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005437505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.388{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.372{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:23.373{4DF467A6-FE33-6138-61D4-00000000F001}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005437502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:23.372{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:23.372{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:23.372{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:23.372{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:23.372{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:23.372{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:24.613{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023394947EA34D234CD653E4B9C511DD,SHA256=A3611662E7784D5D9764E060B2D84CC8A885BAA37CC9EBDDD9140ABA348E9533,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005437682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.888{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005437681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.888{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005437680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.888{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.888{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005437678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.778{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.778{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005437674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005437672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005437667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005437646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005437644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005437643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005437641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005437640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005437639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005437636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.763{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005437631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.747{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.747{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.748{4DF467A6-FE34-6138-63D4-00000000F001}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005437628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.747{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:24.747{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.747{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:24.747{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.747{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:24.747{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005437622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3FD5493DD716CDED9C7FD17EA55D22,SHA256=B923598DD02E6E53C549FFB84EDDBB3A1E62EDB0C2FC4CAC66C5597B2396974Efalsetrue 534500x80000000000000005437620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.200{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005437619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.200{4DF467A6-FE34-6138-62D4-00000000F001}54046548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.200{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.200{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005437616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.200{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.200{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C782B40EDA79753CAD4DF0C076E5BF1,SHA256=9715CAA213A46B9860B8DE23DB24A0C1C4DF687F103976CBCFA6B68D811DC371falsetrue 11241100x80000000000000005437614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A010353907CD33D91C7490B3129245,SHA256=B92B25A2232E95EDBE0FA73A32ABDFB273163502A52BC18EDBBC12BBBF908077falsetrue 734700x80000000000000005437612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.091{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.091{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.091{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.091{4DF467A6-FE34-6138-62D4-00000000F001}5404\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005437608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005437606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005437601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005437588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005437586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005437574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.075{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005437569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.060{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.060{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.060{4DF467A6-FE34-6138-62D4-00000000F001}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005437566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.060{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:24.060{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.060{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:24.060{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:24.060{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:24.060{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:25.633{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB4BCC5774B11D6AB669C645C6F74EE,SHA256=DBFE3E72775212A56413EDE13A346EDD9A34A82421660642E989FEF69EEBEEF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.607{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.607{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822FB5E2B8CA2B4332C505CFAE0E3DFD,SHA256=ED378CA9E69BD351A9C2AA17FEEEFAAC09DFA7ADC9214603A0BF46E6CAA03D34falsetrue 11241100x80000000000000005437742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC46B8B474EBAE8F7364174D94473B1,SHA256=5D1388CF2F520BD71D1202677CE019C4A95BC8EAD680E99E7B41B0A06CEE9496falsetrue 534500x80000000000000005437740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.575{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005437739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.575{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005437738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.575{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005437737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.575{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005437736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.466{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005437735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005437734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005437733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005437732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005437731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005437730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005437729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005437728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005437727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005437726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005437725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005437724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005437723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005437722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005437721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005437720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005437719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005437718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005437717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005437716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005437715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005437714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005437713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005437712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005437711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005437710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005437709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005437708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005437707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005437706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005437705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005437704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005437703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005437702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005437701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005437700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005437699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005437698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005437697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005437696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005437695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005437694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005437693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.450{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005437692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.435{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005437691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.435{4DF467A6-FE35-6138-64D4-00000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005437690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:25.435{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:25.435{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:25.435{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:25.435{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005437686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:17:25.435{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005437685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:17:25.435{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005437684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:25.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2E3B8644EE33472A1CA879A6B30E2A3,SHA256=EE96BC4053BEF3B430374C80ED84863B05425D5E227532ED59C054B6B8D8E0C1falsetrue 354300x80000000000000005437751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:12.892{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63456-false10.0.1.12-8000- 11241100x80000000000000005437750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:26.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:26.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B2FCB46A089F9357A1590C2EE232BA,SHA256=22C3B5D2FA4500D7ED18705CC8A3FBF12601ACA49509DF6EC927490E53811FD7falsetrue 23542300x80000000000000001536413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:26.635{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3862B623FA52B43A3E83300E1D347EFF,SHA256=89A877AD5A2E7188195915D314DB306D6AAD6E1026F19FDE8D53824541D6378B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005437748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:17:26.325{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005437747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:17:26.325{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 11241100x80000000000000005437746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:26.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:26.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F259EA73EF7502F7D24BA6BBCD3ADEA2,SHA256=7A1B4C31F59261BD2FE5A5262E8AD728A3C3B1E210D92E7EB527DA801DF70508falsetrue 23542300x80000000000000001536416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:27.638{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDB102CFB1B727A2C47F61BEA53E92E,SHA256=4CD06298CBF71B19BCC0C737D39629AD6F466A5BB68EAC38FBD58D2AD40AE631,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:27.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:27.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2685788E678E85AA1708D82309F20A76,SHA256=94C6CC51EE6B2BB9A7B9433C08EE2F3B2D17DE8DE176F989D79A5429F1B1E481falsetrue 23542300x80000000000000001536415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:27.188{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C436FC6B77E04E66E6BAC1E12CDD522D,SHA256=2D3BEA77CFD0F3F33D095722886AA1A6A8E81D33EE8A0A1F6CF74FFC3EC13902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:27.188{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FFE086950F8FFA7BA3116F1BF98CF2D,SHA256=4DB4701013C30164C47B4845BD940D1289D0F2FEC20F0DD263F65F6FC5EAB161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:28.660{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25965C4FFBA2DE96399787BA6B5737D7,SHA256=5406A451EA465E1E31BE3B59EDCF70BA418BEC671E8ADBF33EF809905B983A44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA12C0B0E4CD63211C53C6E646C5ADD,SHA256=C4593ADFCC36EC4E3A78B541FF280AC3B48F52285BAA661D334BB40BD05D37D1falsetrue 354300x80000000000000001536417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:20.824{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60692-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005437759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=428F17E05B0B4FF7F11A56DF1C019FAD,SHA256=D2A866F32E1E19DF4BDECF1867AB74475A069437D33FFA17D71332544C18A40Bfalsetrue 11241100x80000000000000005437757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2405946154EA8F4669C3F23BAA7AF88,SHA256=CBBA3404E1034B31920FA5E8D2BBBF45315D8B2B83C9FE46D7413380B4B3B3E9falsetrue 11241100x80000000000000005437755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:28.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F07550064F236EB98953272997C510,SHA256=4C13A9F0D1787C661FF9795C453E986411025A7CF41C306F9986E2FF6A486A9Dfalsetrue 23542300x80000000000000001536419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:29.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E289AA00882B2EE78A575F9984B89941,SHA256=4DEA0BE1196BE028B12D2FD8B5FE16202ED2218881F207AA6C2F812E56FFB233,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:29.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:29.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C1E00D901DC7EDB0C5C29D69A172F9,SHA256=0DB84D63329A1EFA09E83D9D1F36A865716235A0BE89B572417431DCB4D24CD9falsetrue 11241100x80000000000000005437763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:29.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:29.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E29EF28A7FDBE4118A73DDC922FD3335,SHA256=2E55F37CF3FE4C08B30B91D9C9277D25084B51940DC9A3C297B54998CD5227B7falsetrue 11241100x80000000000000005437769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:30.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:30.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3820A6C8C8EABC615B1213BFC7863C,SHA256=D82BC22414FC22F8099BCDB7BBF101D1FE947D7E703A7F000024C6BC468EA027falsetrue 23542300x80000000000000001536420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:30.697{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBABED41779D594A92CB933AF63A958C,SHA256=6FBF20FAD0AF91FDE2A910C37E039056282301D9BD938F8DA9C01D5809F6067A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:30.292{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005437766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:30.292{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=82A095AC447684C60C020919BC239F76,SHA256=B79AD3B76C38D801E22CAB041FDC5B53F2B417E78BAE2EE10CCF174298E6C165falsetrue 23542300x80000000000000001536421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:31.700{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30114281E55DE2676A6F3FAF91E3009D,SHA256=2DD58635EFC80322E16E5E4EC4E01CB996F2C03F9E194C8462C804135EB88FB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:31.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:31.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260A9460CF4F7BEE67E2E20A4C02DD10,SHA256=2A8738C0B85AA342F66327D5363FDED32BF745C6834C090C271D96C0A1AD2B82falsetrue 23542300x80000000000000001536431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.702{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602AA745EE2273D6EBD0FC2783BAD70D,SHA256=F54D621885BA15A57688B46780111FDB74FF5FD92B79AF4B49B540067229BB0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:32.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:32.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757890E75DAFD7D2FD5FB5DEF26A1FF4,SHA256=FD920A5FC219DAE33514654A8E5FE62475D022B565790BF974F2C07F8CB9F7D0falsetrue 10341000x80000000000000001536430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.555{AEE49BD1-FE3C-6138-5ACE-00000000F101}25562784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.433{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE3C-6138-5ACE-00000000F101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.433{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.433{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.433{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.433{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.433{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FE3C-6138-5ACE-00000000F101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.433{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE3C-6138-5ACE-00000000F101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:32.418{AEE49BD1-FE3C-6138-5ACE-00000000F101}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005437773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:32.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:32.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=440602B326BCC39B2C17452A763FC184,SHA256=CFECFF448162AADA888B660E9218326C56DF31AE965AD3E1E22D64FDD47B60ADfalsetrue 11241100x80000000000000005437781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:33.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:33.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D0486C2E73300A95F89CDC19BD9A48,SHA256=403945B9E64F711D6D85977005415821540200B440935B27637F1C24D8F6D44Bfalsetrue 10341000x80000000000000001536452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.918{AEE49BD1-FE3D-6138-5CCE-00000000F101}29246100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.803{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE3D-6138-5CCE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.803{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.803{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.803{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.803{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.803{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FE3D-6138-5CCE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.803{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE3D-6138-5CCE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.788{AEE49BD1-FE3D-6138-5CCE-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.703{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC0BF43BC18DE3E22A11A14D0520925,SHA256=62BD8B64E3BE2E96898D9F86135DCA402F4BCEFF9189AAC4BD6401F988B8F3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.233{AEE49BD1-FE3D-6138-5BCE-00000000F101}55926000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.118{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE3D-6138-5BCE-00000000F101}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.118{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.118{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.118{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.118{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.118{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FE3D-6138-5BCE-00000000F101}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.118{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE3D-6138-5BCE-00000000F101}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.103{AEE49BD1-FE3D-6138-5BCE-00000000F101}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B9B373706284B398B397554E860E3BB,SHA256=CD2E3E3936D2952BFE4893957420BD9215D22FD802451ED94505FE510D483212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:33.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C436FC6B77E04E66E6BAC1E12CDD522D,SHA256=2D3BEA77CFD0F3F33D095722886AA1A6A8E81D33EE8A0A1F6CF74FFC3EC13902,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:33.479{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:33.479{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B305A331AA27B0D4F7E6EA5BF3A202BF,SHA256=67D4271F2992A5692FA41528439CE465F43FD0ED397295B7398F4B2F7BF8BEFCfalsetrue 11241100x80000000000000005437777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:33.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:33.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6352C254D9575BD49AA4DAC1EC8CFBC8,SHA256=9DB77733AE0BCC772785306361E7C48FB9F8418BDDF8FA3A2FC8849E420944EFfalsetrue 11241100x80000000000000005437786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:34.714{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:34.714{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF42C56D54867079F8D4ABF51989447,SHA256=675563FE191596EC159FD34515E8B6FACF5C6628DE7CDEF2C1D98FD96CD11248falsetrue 23542300x80000000000000001536455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:34.705{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0F418DB056E9402585D7444503FC1A,SHA256=FF6BBD468780D82617A2945FE2A71F51FEE2B55A35EE035D15C007FF6A544E97,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:34.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:34.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AA6F498A0B5D31FBB53087C5E64D6E06,SHA256=6FDC25BC0950C0748492393E494F1E332948C411F397A3A6C51F92658F87CC89falsetrue 354300x80000000000000005437782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:18.889{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63457-false10.0.1.12-8000- 354300x80000000000000001536454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:26.756{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60693-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:34.103{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B9B373706284B398B397554E860E3BB,SHA256=CD2E3E3936D2952BFE4893957420BD9215D22FD802451ED94505FE510D483212,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:35.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:35.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB4487A860C502D66E8FEE0C8598986,SHA256=299E6B307400E11973D65CF2EA6C8D54A421CF22A1135211395389F20F35D86Afalsetrue 23542300x80000000000000001536456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:35.726{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF17466684A07E7FCFE05475F594C5E,SHA256=62C2EF0CE5DF948D465B5FFBD77EDE2EBDB6B72A9B94381C0AC0478742C7317E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:36.740{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A763FF842982BDD12D4B346749A59E,SHA256=75E830ACEB4631345B7BCCFB4EDB75CD842855098B3DA00FE945D67324EC4C4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:36.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:36.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2126F61CF6342817154280E1BE56F12,SHA256=46554BFEE1892A226E404A91D77D37A8319061CB71026FD75D57C3E2A049B07Efalsetrue 23542300x80000000000000001536457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:36.178{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7175MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:37.763{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7F0D9424C53D446553D1DE37D58731,SHA256=8D3C903BC62B2FA0BA9492D3285494516D00A002BB51D4B519350E155D004967,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:37.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:37.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6ADC3847CECA94BF3E222D0C65A9C9,SHA256=946F6FA8DAB4ABAB753DD83F8B24BB6698584334F78B3C219A9FC6C5C724C21Ffalsetrue 23542300x80000000000000001536459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:37.179{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7176MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB26D13D64BC6F5D29ECB266B6A3320,SHA256=AB0DF35EEE8766BA6E2880ECB54FECC8F5B8151FFD35EBA6DE9BC8EE0C9301B3falsetrue 23542300x80000000000000001536462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:38.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D631AF1E089E6A88E58D1EADFF30D4BD,SHA256=6E6111BAC67DD3B95EAAAA813D34EBE9D029FE313584CBD6D5354F6946B2A0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:38.228{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D93D9B4C589BF4BD4BB1E149BA417E,SHA256=F7670FA2A6E814BB7EC977C08A70E07AEDF027E3DF62EED1C98FECFE30946FF3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6E77EFA53B48C6EA92AA2D555394282,SHA256=CBB96CE3FF2C5C2027074F05A4790ED073715EB9DA991EBE754F2E7592022FB3falsetrue 11241100x80000000000000005437798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.464{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.464{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C68BC03DB003A750BB15EF73C4E9EAB9,SHA256=427CC234844DDDA8FBD62934AEE3C097D926022E31536F9E99D4B2C0601B19B5falsetrue 11241100x80000000000000005437796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0579CE7D7655246D6D6850C6432584C3,SHA256=36E458D953720F3844B33003B8F5853B9976C3018DD5FEC1B85BC11EF104152Efalsetrue 11241100x80000000000000005437794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:38.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=848247F9510AADC3F92679FAE2545C5C,SHA256=722559A44A525164D763F409D22DA08B56AE1CD8695FE9463D13205711CB32CCfalsetrue 11241100x80000000000000005437807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:39.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:39.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1F65297E97E2FA032B20F8507DBDC2,SHA256=2316CEABB714D7594A0E93241BF3118F1119E46F46CC20B4160EA0942F60D00Afalsetrue 23542300x80000000000000001536463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:39.802{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7302EC63B3FFE1227CFCE4180CA97929,SHA256=841ED2FE4699AF2228A65AE55C00E6BDFAE7E7021B00F3A95E07BE049BE685C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:39.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:39.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C69850122E9952870905C99D92C0F2B7,SHA256=B824A26465E81333D123328E2F357BDD367FDA6EF234919FBB491055F5A9F4D2falsetrue 354300x80000000000000005437803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:24.655{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63458-false10.0.1.12-8000- 11241100x80000000000000005437809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:40.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:40.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67734E0DDAFED6542BBAA370278564BC,SHA256=E6B244EBD18C023E3A08ACC7596290B57D554AD3C598959249241D6AEBCEA888falsetrue 23542300x80000000000000001536465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:40.836{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E122EEA3C4FA60B327FA3FC9D61EC3A,SHA256=F8A4770B6495BF3D0287AABD8DE40353CB20AF3F9525D877BFFBED695F01BBAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:31.862{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60694-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:41.839{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA2C65D9F7C9620402C74D4DC6B0241,SHA256=F0D4F6DB13A09275ED7EBFC95A4B02C44999DA6AD2884382D1E0436005E0B234,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:41.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:41.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3AB7B79C0C8EDA0A7915563605693D,SHA256=9D23D5DDB9952E400B2FCABDE0AAEBA6CF0D6F95F5CD9F5F2E337651EC563814falsetrue 11241100x80000000000000005437813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:42.839{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:42.839{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656EE01F8FC2547F5C6AAEC4420CE74A,SHA256=F839F53FF0FB131E4B8C250612E0DF15F30418ACD877AB6E4F4CD76D9297E7E3falsetrue 23542300x80000000000000001536475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.841{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDCC3832D1FC497D0F10A8D04B67ADF,SHA256=AEA5CAE1D5A6F4C278BA511EF445E18FF9070E2302D57C297AAE297E1F90054B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.756{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE46-6138-5DCE-00000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.756{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.756{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.756{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.756{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.756{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FE46-6138-5DCE-00000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.756{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE46-6138-5DCE-00000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.742{AEE49BD1-FE46-6138-5DCE-00000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005437823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4B6FBF693462D2EA71BB2572CB4D49,SHA256=D8F1F5F88AA7CDBA0AB74B8EA71260D3109D5C5589D666D288C054635EC05587falsetrue 11241100x80000000000000005437821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD970E3D564224A58727EC2AD15ABB97,SHA256=5EE07F0F340CD7305DB5DBDDAE5D8DFDB3DAA8CB357923A4132CAEF4DFA5AB0Afalsetrue 11241100x80000000000000005437819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC249C61E81CF94566F1C90F509FAA7E,SHA256=E062A7865A74E5588A78A19AC49E539764AA044D2B0C27199BE1004F54A3354Efalsetrue 11241100x80000000000000005437817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89232864FFFDE4EEA1DCCCEEE3C6BD5C,SHA256=6899119D6085AF49CDC22C5FF96957086039DC3744290BC8AA92D92456A1F988falsetrue 11241100x80000000000000005437815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:43.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0579CE7D7655246D6D6850C6432584C3,SHA256=36E458D953720F3844B33003B8F5853B9976C3018DD5FEC1B85BC11EF104152Efalsetrue 23542300x80000000000000001536478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:43.841{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FF3D17BCA51011CE7F4307BAF5C480,SHA256=15998003F7D0CA2D49AB3E251518FE1B8B7DF21A8913736E99353A11450DA1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:43.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0198D7A094B980145FA5749D696F9DF0,SHA256=FEC9072695165E7F36940B06B0CF84A8136F1396912CD0F141034FE85080B388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:43.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A3077CB6D4EAD6C03D11EE9B5606CC7,SHA256=FD4CF76ED5966B271284720EBAAAD99D5B2606B34E7EE3E5CF76D2D76654B152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:44.877{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A935083F45A3C43F83AD6567578616BC,SHA256=13B398464DF36F2A1CB31DDACCBE28D178F1E14C0428D1D25D790677B1EEAF93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:44.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:44.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994C840615113721FF055A1EA1C4D9B1,SHA256=A6579C1B4FCDB19BABE638CB517178149E2C2DE464F9525CDDC24C7071322947falsetrue 11241100x80000000000000005437826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:44.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:44.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7FB98519F6E81E6C33C16DF65991B8E4,SHA256=90231052CA3BC4D46342927C2204B29EB482A2AA0DFFBDA16148D3BB85E93A35falsetrue 354300x80000000000000005437824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:29.780{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63459-false10.0.1.12-8000- 354300x80000000000000001536479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:36.863{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60695-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005437830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:45.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:45.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A74E9EE92FC7328BB9D8773A023F4D6,SHA256=68F08D87CB661899BB0B5997686AB174AB0CB753C2E82029251876195737EA8Dfalsetrue 23542300x80000000000000001536481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:45.916{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8829E7CC8C885CFB21B97CDB2DFF51E3,SHA256=D1DDF2B5E0A99A0A1EAAB6B00405C6BD95494B0704423FEFCA3E80E0C39B05F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:46.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:46.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D405A055B349A565458AC20760CBDF6F,SHA256=509F2CBEB2050E17105AD35A67529C073307CB2719E84B959B47BF21B8D1AB4Ffalsetrue 23542300x80000000000000001536482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:46.919{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4229A2F0B9C580EE82322AA685C424C7,SHA256=ECA6BE76A71ADF08936AD9DAD5D4B00DE6E5BF3C4154B5DD1A81E3E672DC73D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:47.952{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903E7748BB6AA755933C0E9BCF1AA305,SHA256=D3045D8A617E0CE387C38B7FF7C7ABE4DD64105DB420FEDF6890EE78AB54B259,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:47.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:47.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386A3E90389321C5E5C9C605941A9960,SHA256=D79CC035329321421F27B8C3CAC974437954DA9100D988647B9AF7EAC7AE445Afalsetrue 11241100x80000000000000005437834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:47.760{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005437833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:47.760{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 23542300x80000000000000001536484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:48.955{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8074CEF7BEE9B17852CD56B270A24CBE,SHA256=F6874388E702A3754614188349633946A87451784887FFEAB5C96E0CBD9AA211,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D151C05CD5581798B0349E17FD8B02,SHA256=03216D985064B74E54851FFCED7B8E94BD82A1109481F9E892208DD526599E77falsetrue 11241100x80000000000000005437844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D10E2922BA1AB83F4B5A0ED4F8EB5D2B,SHA256=945EE4EF449D696C20EACE1BF8DFC759CE064A0CF4462A0A3BA1A7569849DEF2falsetrue 11241100x80000000000000005437842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A58841E9F0484E45BF996FF2CB8CEDE,SHA256=A740C4FF33E14BF6959698E7ABE587DF7A041118BA65320E9EBDBF2A0F6B7D47falsetrue 11241100x80000000000000005437840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04665D466C2674E3C2491C6956A55C4E,SHA256=56F4E503705FB8D7F82F3A5579EF5D962ADCAD8BE70DCB0B0640C4A511FAB337falsetrue 11241100x80000000000000005437838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:48.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89232864FFFDE4EEA1DCCCEEE3C6BD5C,SHA256=6899119D6085AF49CDC22C5FF96957086039DC3744290BC8AA92D92456A1F988falsetrue 23542300x80000000000000001536488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:49.957{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E661DD5BAE3F20E9CA0DA1B51FDAE9D4,SHA256=5BCBCE782548AB96D656CC39CB230EA2000A376C94C705F534FD1499E169C1EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:49.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:49.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D5D9029423C0CEE5ADBA2364D337E3,SHA256=160BF063346C8D3758CC6E520CB745A5DC451F6E0D05F3931F2FE5B3D5F5403Bfalsetrue 354300x80000000000000001536487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:42.738{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60696-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:49.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00102AF5FB98DAAFCF6F8E161BF646F7,SHA256=34A3B3C27A75C6E62DBA3AEC81A0561069C3EE46BAD07991F04D0D6D3EC43928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:49.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0198D7A094B980145FA5749D696F9DF0,SHA256=FEC9072695165E7F36940B06B0CF84A8136F1396912CD0F141034FE85080B388,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:49.479{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:49.479{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63C2F1856C7C323B2FE5060E88464F11,SHA256=6FEC1577B2DAFB163A949D39E1DF12DC005149031F468038D2EBD834E5E1041Bfalsetrue 354300x80000000000000005437848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:35.717{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63461-false10.0.1.12-8000- 354300x80000000000000005437847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:35.389{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63460-false10.0.1.12-8089- 11241100x80000000000000005437854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:50.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:50.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC297ED9A560090A1D53BA934E9E53,SHA256=A27CF54EDC713682FBBED524AF12A32B55F63D060B35431BB13C7DB4F3967B38falsetrue 23542300x80000000000000001536489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:50.959{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1FF9728225C268D0BE4B821291B129,SHA256=FDC65895C20D900D79F296D8E6A7605BAA7F50A967C0BD7FC1D8B6D6AE019F47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:51.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:51.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C7428EFCD6056AEA7D3EAB1F8A0777,SHA256=39C88B8BABAA115C3D7DE0E1C823C31EF4A2F1CC3DC2D12FEC28D3A54D81C4CBfalsetrue 23542300x80000000000000001536490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:51.962{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61711455CBC9744DF057DA31D20D2A05,SHA256=C740A17DD9ADF59253158FA82602BAF5EC336212585A6E504D31F65A8F254AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:52.964{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEFBE89868CF71212178B3BADD11933,SHA256=F5AADE2C2D9AD7796A3D4877806979E8017075ED053A635616707B70AB3FB34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:53.966{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761B45B9A2E2075805FEEDAF2BC4D49D,SHA256=7D6A614364FC955D96536A6A607A5B0DF6145E3F396014BDB5695747910680C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:53.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:53.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D57EF5C7B83A8DF5A22E0A0F5D41562,SHA256=650C583729EADAA8C0E099F3C51F59A5403FE20AA14944853B4E7424F8BBDF08falsetrue 11241100x80000000000000005437860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:53.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:53.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A4692DC150ACEE2D039D220CEA31C2DB,SHA256=80E13CE122D6412354FE0C3EA6D5109C6C87D83BC82C11AF3438C64CD54DD743falsetrue 11241100x80000000000000005437858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:53.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:53.010{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584427D5902347A6EEA22EDEB7E1C5B0,SHA256=FA3CE40169F10FDEADFE1F264A7218D6EE452BB6B5EAE877D6AF300443D66690falsetrue 23542300x80000000000000001536496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:54.968{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF6DE19CC34D2ED81E4EC36E850CE08,SHA256=A0F110C0F6FE3D558021CFA7FF8A498F158C8446F3C218B2A70F6000A7393EA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:40.779{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63462-false10.0.1.12-8000- 11241100x80000000000000005437870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.510{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.510{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC2303AA4CFD241DF5DD55211B224663,SHA256=E7241687013F62FD0857D5E3B5CDEA5DEFF5594C5731C452E374C76ECDB4E6FEfalsetrue 11241100x80000000000000005437868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC232A32A17CFE64148BF161516F4F4F,SHA256=64265FCB462A7997BC18C7C3CC8DDF8BB075C9A7DE61F1FAC5748CA112F78760falsetrue 11241100x80000000000000005437866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04665D466C2674E3C2491C6956A55C4E,SHA256=56F4E503705FB8D7F82F3A5579EF5D962ADCAD8BE70DCB0B0640C4A511FAB337falsetrue 11241100x80000000000000005437864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:54.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06986B78C35B54C2E524E54DE6AA7AB6,SHA256=46AAE3CF1BF439FE0E54925626820E574D0E3AF4E3E78CAA1B0C7FD3361B35EFfalsetrue 354300x80000000000000001536495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:47.771{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60697-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:54.335{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE743D87D7E3579331C8502B7B98C708,SHA256=CF9FFC4978945C2D05E89FC6FF7FD79D2AD243BE65DCC89D347AEBFFF75A59FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:54.335{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00102AF5FB98DAAFCF6F8E161BF646F7,SHA256=34A3B3C27A75C6E62DBA3AEC81A0561069C3EE46BAD07991F04D0D6D3EC43928,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:55.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:55.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C51229E4D169523FA9A1CA6BA00759,SHA256=53381CE3F35717BD5BFF08AD3035E61CA655E8C0C020C19B3ABEDECC5F8EC905falsetrue 11241100x80000000000000005437875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:56.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:56.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A4668A6EE39CC99EBD1257F0727743,SHA256=46EA7C745B5C3F4442E66A7499E8ECE31C5E283666EFE53289B25BD09D15CFE1falsetrue 23542300x80000000000000001536497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:56.003{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF41891AF41F90F3614C0342A73E2129,SHA256=3F8C59F8F0A06C31A8CC2CB775714CD2CDC231B5FD052281533EA287621BE63E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:57.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:57.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417E0981BE55AFB1F7EBFFB6A97757FB,SHA256=AA32063489D0270D8866206CAACBB346F76314E9A97F1C4EBC658AA902098291falsetrue 23542300x80000000000000001536498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:57.006{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33E229D149AD5E6660C52653FD93A12,SHA256=8D86751F6C0BBC7D2354C8AF68253D7E963BD25BC4D57B2417A04C4A0A9CBB05,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:58.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:58.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE1FA9556653AF43C7D4FCADB7AF92DE,SHA256=000EDEA37B7E1F768D6AB984CDD5C68B55166E1E19B51AEFBE6D2698B76DCB3Ffalsetrue 11241100x80000000000000005437881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:58.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:58.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3362C7BC584315CC4D1CAAF77740FCB6,SHA256=2BE3554910AD04407980E4D6BC18BD5E861A4192D45CC64068ED0A076FB2EE1Afalsetrue 11241100x80000000000000005437879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:58.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:58.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4980ED89CD49068E35BF064B0E7801B0,SHA256=350AA675BCFD13C7A144D21B154982E09AFCDDE37B6DAD8AEBE1C80402E8E49Ffalsetrue 23542300x80000000000000001536499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:58.009{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2801CA5A5661BFC9039186710EF7C9E5,SHA256=464CB1E3465DF5D8CF108A9CD3E264F4DFA3DD4E407CEEC78DB916278D9A2AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:45.810{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63463-false10.0.1.12-8000- 11241100x80000000000000005437891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009389A0F7FD8C44ED6055C59DD5274F,SHA256=970CF25F7DD06F2ACB29789DDB20946B2699607E1BBE922E46404D944A70A02Ffalsetrue 354300x80000000000000001536502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:52.785{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60698-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:59.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE743D87D7E3579331C8502B7B98C708,SHA256=CF9FFC4978945C2D05E89FC6FF7FD79D2AD243BE65DCC89D347AEBFFF75A59FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:59.013{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220DD3A90AF21D125EA3C278C98B0CF9,SHA256=FAF99084818A4E8DF50ACC7E36ED2CC30F6E3CBE17F1710CA0B6BFCADD2882AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=275FFF120EC267BD3D5F35161F67A3AA,SHA256=17BBD25D144440A5BA1A3ECAD2B197F5B28A64EA11828AEA1F70C10C4C5D01AAfalsetrue 11241100x80000000000000005437887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B564D661FBDECB84D9BEA3104719F7E,SHA256=7D1A44C27653A3A52682C50792D190F7C7E1E914C2DC7113AE3880EDD66E3158falsetrue 11241100x80000000000000005437885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:59.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC232A32A17CFE64148BF161516F4F4F,SHA256=64265FCB462A7997BC18C7C3CC8DDF8BB075C9A7DE61F1FAC5748CA112F78760falsetrue 11241100x80000000000000005437894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:00.682{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:00.682{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F7B0F80EE3334F83A1B1708622E00F,SHA256=9438F632B58ADB1647AF0D8385F29A40D402166E3DE3BE73444B5485B9AF3947falsetrue 23542300x80000000000000001536503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:00.016{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016A58A1DD3CEE8A076D3F41A1A30711,SHA256=9CE1927476B28B41243C95307B5D38987E2915492198DCFA8EB924207AC7A553,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:01.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:01.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314E6912B41725C550AF6B48A36E2355,SHA256=AE3028B50E488B8961628A4C89B80CC244720812AC7E68BFB0E5199C26F7B2D8falsetrue 23542300x80000000000000001536504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:01.038{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E4040E0B2AE9CC4E5D7889C9BE8CAD,SHA256=9ED9F5CEA523BF10B059B7F9203A8D9F4AA8ADDE6ECE8821471143BFC6A653DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:02.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:02.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6838093A0452DAD5C7D7FC562F85EFE6,SHA256=72B5B3B69AF87DA37F01E1B1BDED03C213335FC7DD7E21EFEEC5CBC1914818C4falsetrue 23542300x80000000000000001536505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:02.041{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B290ECB73CC47C98874634C0A5F107C4,SHA256=0463079F8F5C538F2BE90281D49C29181A8058DB6A8DE5659D51C2A35560EEE9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AF970275379E3E183F6407C9A2EF45C6,SHA256=76958F9446BBCE1DEE8E10E76EBDA3E83A7D368C2EB826EFF7922164E00F2682falsetrue 11241100x80000000000000005437904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8011F4CA1BA78BB4CA947972E2CF7960,SHA256=E726E1002BE7CA4E9DED3428FAB9A6AB5AF00A2C7AA490EEF57E53ED47E539F6falsetrue 11241100x80000000000000005437902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.791{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.791{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C131F192F0C73B5BA81E54F6F5327BA1,SHA256=867686EA7F3031E714A31517217577143865989AA1B87B224460F6FDC76369A0falsetrue 23542300x80000000000000001536506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:03.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4913311B184220EB3B9B9FEFEC8AB7B5,SHA256=10FA05869047405E59E03D3C19170CBC26749671F0F017FCB320497EFEB4A413,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.151{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:03.151{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B564D661FBDECB84D9BEA3104719F7E,SHA256=7D1A44C27653A3A52682C50792D190F7C7E1E914C2DC7113AE3880EDD66E3158falsetrue 11241100x80000000000000005437910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:04.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:04.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BE969C95C1E00C95BC6D2330EBBC04,SHA256=B9551C0569C53610404BC40F5F14B582F2E619298938259D1A16836052AA2F26falsetrue 354300x80000000000000001536512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:17:57.897{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60699-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:04.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C5FAAF494D0CBABA9C2440975A5A1660,SHA256=DE16ABB3B502A78ECD60F9E9E4E74BDAD620FEEF17F272D3CA60AD2D31B90848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:04.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E534A673D80663414E500CA51CE336D3,SHA256=F2A4E968E6E9BE4725BD3C58B01EF83AF0E094CB8308F71291F008B690B974BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:04.362{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4332E3EC1C57E638B188D52AF914F54E,SHA256=46D9E7C14604EEE8C23D298F656B3C5CC7E606D096B698686F7AE5CF1A0384EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:04.362{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C62BE875B9EF77703EAD45328E8FAB19,SHA256=030545AB5C543D3F578E8FFDE5F9BFEA5C0DAF6519858DF224EC2B7000DAE851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:04.046{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E02414E79D6DA409BE652AB856251E5,SHA256=8AFBF6F3AF3F3B280AA6CD6FE97F872CFB90B5E725DA1A116608303158EE4802,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:04.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:04.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=33EA154A876C5440E6B7C45C38A871D3,SHA256=A107FD182277ACB9413EC0A9B297BA28EB6EDCAAFA9315F156C4EE2F7DB874DFfalsetrue 11241100x80000000000000005437915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:05.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:05.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CD1BB087562FD3B6966155D18F1849,SHA256=7EAA18BEE33D62F6477EE256A71094192FB4C40567841E3CF169CCF68C20BBCFfalsetrue 23542300x80000000000000001536514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:05.812{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F82A351493BB70EE580A3FBC3D3722F9,SHA256=98A050E6D9D903140D465FFB4E34991E03B79AE59C51A667E57DEC1F93827BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:05.064{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7274C75BDF169AD068B40ED7542DED20,SHA256=6A8948182222073A017EB616989352BD60FFDDF3813ABE073E67DC5AE535A504,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005437913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:51.700{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63464-false10.0.1.12-8000- 11241100x80000000000000005437912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:05.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:05.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E09E849A694F4B556A42BBFB6CE7409,SHA256=780424A7CB021DF97EFCB40A5CC46F41147D9550207C62E85960C1282B1E5DEDfalsetrue 11241100x80000000000000005437917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:06.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:06.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F25E119404DE74C0ED2D240D21BF9D8,SHA256=CE46F3C38CD783876CB52308A05E96D0D91576D9986F34D80F47DFDA13A1EDE2falsetrue 23542300x80000000000000001536515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:06.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F5A5377CA447E3D8CBF0317911310A,SHA256=FA5B5C5F366E376A82015E79AA325B873EDF6E0E7E91FBFB969C9EF873C7D44B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:07.874{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:07.874{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B5BF0FF14B8282C48BC6B89D20CE87,SHA256=EDC4BC4D2EBCB786C39B50CA666E9758F3BDCF0E6D85B00AE3103C66C40B829Efalsetrue 23542300x80000000000000001536516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:07.068{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE9B9D04233C39C5730BB46BBA49C7A,SHA256=3B4F329DE1BD38F1023AF975433F3BC3A1A91B1AF8A60B2F90FB346174E743F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F9CFA83E98092D67B38B0398F192D5,SHA256=8CB2ADFBD328E0B310BE5803D9B1E237A5AFEC8EBEA6551983F5FBF95D22A9F9falsetrue 23542300x80000000000000001536517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:08.071{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CEAAEB630D30EFAED50A6A5588DDA4,SHA256=BB2FD4337F5530BC57B5EBD73E02C575359341979BCC7F82EAFC83E508EC3960,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60C0FABA0B3713D1FC8E868145BA50FA,SHA256=A6C1CA9D79B8A8F97CB68A55834DA48BE9DA074E6A2B5CD8A5DCA2D016CF0C29falsetrue 11241100x80000000000000005437923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE639BF8EDFA205ACA5B510EF1A902C7,SHA256=C2E3938AB57720B67BA1A1DF637CBA5687590AB3C3F6DAA2E4ECBBFC6203D7A3falsetrue 11241100x80000000000000005437921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D7519363ACB9763C78DA09408E3D067,SHA256=E145614143C40BAD7937A47D8872A6645BFFF25D27D354BB54E7346EB75AF371falsetrue 11241100x80000000000000005437931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:09.937{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:09.937{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91462276B83C6B32A952F8B1EDEED2F8,SHA256=53EAD4E5306A3383B4915F0DDEB5EDDFA2BE89C50B48D8F0B55C196AE2F84288falsetrue 23542300x80000000000000001536518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:09.088{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E7CE39E6303E19F6BCD7020D509729,SHA256=3C1048B5B9C2F2DA6F22B7813CB5F46FC19417838CFA2F07FB90670C7EDE726A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:09.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:09.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89ED21C21468327E57F2893A21F89317,SHA256=1FF9168E8745537D79407C8B4828819950E070492C50CB269053A2DD91D2D246falsetrue 354300x80000000000000001536522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:03.842{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60700-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:10.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07919E7ED2C37B9BC87650A7C10E94BF,SHA256=46CA143BE3155A302E0F59CEE28B0591EEB4A377F5917F1905B8F9C907BF1DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:10.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4332E3EC1C57E638B188D52AF914F54E,SHA256=46D9E7C14604EEE8C23D298F656B3C5CC7E606D096B698686F7AE5CF1A0384EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:10.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBF7271167A7D6A79A1CB1D38306F32,SHA256=BA7CAE0BB38234EF6E4F15D69FE8F3B2D2A3DCBFAFB75AFD38339925D4AE4FA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005437971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1726C7D66D483EF6DF4FFCFD8242A279,SHA256=B5C6D0F5C91B27B3D998639F30608A53E97898742189C71571BB90AFB12CACADfalsetrue 11241100x80000000000000005437970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005437969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EA9B37DAEBCA60CAA89B8E8E9DC75562,SHA256=E107D97AD6A408D0C7CBDDDCB322C7AD28603906E2BC284F637A192C37B6ACF2falsetrue 12241200x80000000000000005437968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:10.281{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005437967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:10.281{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005437966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA14F9F2C6AAE22C6A79E57E7727E07C,SHA256=4CF26072BE58E2ECBD112D59A7DFCE41E7BC856D8034D11C3D2A5A6FFFBAC84Afalsetrue 10341000x80000000000000005437964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:10.077{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:11.092{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756504C2F829EC1B594056B947329F17,SHA256=180E8E383D7F8CBE4B8BB86B71566439C98539A87369681B47DDF824604F5C76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:11.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:11.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0A19B4FD41D67EE9E923EC791117EF9,SHA256=F27F9397F01AB695041AD02B5E1D0CA5810BF3509839EA78D951AF722BBEB0C6falsetrue 11241100x80000000000000005437975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:11.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:11.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BD8E4E141B672AF31949873B30CCDD,SHA256=0CD71EC072A1114F7110D6F25354E832AD063F7990BFEF59EAB9322B656C2004falsetrue 354300x80000000000000005437973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:56.830{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63465-false10.0.1.12-8000- 354300x80000000000000005437981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:57.924{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63466-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005437980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:17:57.924{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63466-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005437979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:12.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:12.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30E114694070F0550B3D2E2A2B762DC,SHA256=024E65FE3C3E041298EAE015EDB79B101EDCD1D3856FDCD11352FB9C946984D3falsetrue 23542300x80000000000000001536524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:12.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0EBF8CF9E30044E1855FDD7EB8A9AE,SHA256=B3253DA8F10C19171704C83800E06E24920E9329B120579C52AE8164A00D15C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:13.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:13.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1537C9067D57642EA9E42939FE27446D,SHA256=56F67288FFF2CEEF002E1FF8F3D16254AF985723AF5E1E41DC0D2FC5F60163AEfalsetrue 11241100x80000000000000005437985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:13.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:13.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F83E9891C79040AA029C072CA27F1417,SHA256=4B1253CE69912F96D2A1B6E695A43CE12FB9A746F391BD7F6C4DE81A90C82CE2falsetrue 11241100x80000000000000005437983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:13.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:13.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8778BC66C56F029C1F738F5F2C7571,SHA256=0C673D55B5B8B4721C368591D5C83549AF79DB69A5AF8CE3D09E122CFEA7B063falsetrue 23542300x80000000000000001536526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:13.113{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:13.098{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF5AC291A0E756C8522F25417E609A9,SHA256=771660E4FF4FDCAAAA84CC582245283DD2E205A6D3073112A0C8F2B87C862DB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005437991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:14.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005437990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:14.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BBEF7981599A67C176BABDCF8C70D619,SHA256=B3022C0EB60A6C406A047E6769BF82EEEE3CD33D92DFB4D21D765BD67A241FC0falsetrue 11241100x80000000000000005437989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:14.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:14.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E995AA5398226007702CA40C9C408F52,SHA256=F21F948CEE17990B94988D952CD2C6851A855D4315E3A1F715FFEB852FAC8D26falsetrue 23542300x80000000000000001536528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:14.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7943CDE9AF295F2B81341FDA91067DEB,SHA256=A530477DA065E332C06BB59C62D5E734B9D9C002F114AEA3C4CE351C72EAAFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:14.116{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07919E7ED2C37B9BC87650A7C10E94BF,SHA256=46CA143BE3155A302E0F59CEE28B0591EEB4A377F5917F1905B8F9C907BF1DC0,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000005437998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:15.968{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=F1241B945C91C94387E48E1E2F8526FD,SHA256=F2CE884FCDAB2E3A4FB448F8CFE89E892F77769425CBB5725CD6D267071A143Ctrue 10341000x80000000000000005437997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:15.968{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005437996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:15.968{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005437995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:15.952{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-F1241B945C91C94387E48E1E2F8526FDF2CE884FCDAB2E3A4FB448F8CFE89E892F77769425CBB5725CD6D267071A143C2021-09-08 18:18:15.952 10341000x80000000000000005437994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:15.952{4DF467A6-3F58-6132-2B00-00000000F001}29486384C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005437993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:15.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005437992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:15.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2C46087A109C410232D84696847BDC,SHA256=EF03040255177AFF7B9C5962D47F309E75F8E576A5594A0E6F5C43A69EFA2423falsetrue 23542300x80000000000000001536531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:15.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD85A3720C7D35678F09591F3B7B479,SHA256=7CE342DB28F7E0B0F9111393750712239042132685231D88BD68E93F3BD6644C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:15.186{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952429033D6DC25154BD489BE94D5D52,SHA256=C21138F4F499F1106C45C330DE8AE5F0F38AE2C7342C8E3C0790AAE6D71D9A9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:07.752{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60701-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 13241300x80000000000000005438004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:16.734{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D0542\VirtualDesktopBinary Data 12241200x80000000000000005438003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:16.734{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D0542 11241100x80000000000000005438002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B2986A6B1B72BBEB3469E5137ABD84,SHA256=E0890959E6973A7889215806592F4C73216B567BFC681168B366E9B06D806730falsetrue 23542300x80000000000000001536533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:16.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECA8F3481A45D288CFAFDD5221C8802,SHA256=5259E2DFF724B1F51FABE9E8D02A16EDDF424949C2FDD0A77D47C2D7870899CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:16.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005437999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:16.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06DC52AEF497E384D2B1B627B05E1222,SHA256=CAB65E66AD4CDFC73516D1D59CB4445D0EA7141AF527A3F5492DE8859830301Efalsetrue 354300x80000000000000001536532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:08.901{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60702-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005438007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:17.359{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:17.359{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9385E967E61CA16C788BCB2BC648C4B8,SHA256=6F620E45378CDE21925DC243ABCEF134B45233B5FCC6EE6F52E40AB7F8B7F796falsetrue 10341000x80000000000000001536551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.739{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE69-6138-5FCE-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.739{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.739{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.739{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.739{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.739{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FE69-6138-5FCE-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.739{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE69-6138-5FCE-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.724{AEE49BD1-FE69-6138-5FCE-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.260{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1609F16275C4B75F2A903F92FBA6FC,SHA256=65F4ABA2CB0683D539FC91FC8B7A57910D71707845B1229624987E4187F29505,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:02.877{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63467-false10.0.1.12-8000- 10341000x80000000000000001536542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.175{AEE49BD1-FE69-6138-5ECE-00000000F101}4040592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.056{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE69-6138-5ECE-00000000F101}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.055{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.055{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.054{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.054{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.054{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FE69-6138-5ECE-00000000F101}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.054{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE69-6138-5ECE-00000000F101}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:17.039{AEE49BD1-FE69-6138-5ECE-00000000F101}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005438009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:18.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:18.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D7732B43B09A66DE8674958F39FC32,SHA256=74ADB85A32932D965C456F08DDFEEEB7924159A29455B1DC75A39226082FA20Efalsetrue 10341000x80000000000000001536561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.409{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE6A-6138-60CE-00000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.409{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.409{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.409{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.409{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.409{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FE6A-6138-60CE-00000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.409{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE6A-6138-60CE-00000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.394{AEE49BD1-FE6A-6138-60CE-00000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.293{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019CA7C0206D3885769870452F5753C4,SHA256=1F4BC598B5CFF4ECFA21CF0A7D564C07C10C32AD51D3AEA8EBB8E58D358674B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:18.039{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3737F40AE577037DE90BB879FBC99D5F,SHA256=0EB764FD20814B080C4D9C844676EB10F76C0C63E9964E8EBE4AA0C294C18D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:19.395{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11341F04A2D3B147AE2ED779B89E83B9,SHA256=4F831679961136647F0440ED12E38C9CE9E1E6EFF13687680A77D2068E20A091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:19.311{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D4303D8E68EE86551F711674A78A68,SHA256=B83F5F859B2617D35F94735D0A610389F2BACEAFCE91B9B1AF1094A77B105DDB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.812{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.812{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C59FC622A6904F0ADB413BDA2AA29192,SHA256=6F2504DCD7CD67D17875CFA8DA94D11AEBE46C4BE8C7022E73AFD67591D05F10falsetrue 11241100x80000000000000005438015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB81EAFDC3D9CB5DDE84E38FCDC631B2,SHA256=65260584208766179FBBA1BD25D6450756E7CD63C8067D7B1E5A26AE5A36D9D6falsetrue 11241100x80000000000000005438013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.156{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.156{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=79CE1FCE879835E1F297382615FD1307,SHA256=CBE0CA729F6B087E9924F9CBD57F8C473DDC1B5DB28679811355AD7698CF8551falsetrue 11241100x80000000000000005438011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:19.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41CF42E6766C0E1FF1208A18EDBBC6D6,SHA256=5F5F98EBBFB2201CACC035C55CD0CD95FC85B0EE0439CE26FAE2E248A7194284falsetrue 23542300x80000000000000001536564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:20.313{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E959CF5701CBE30AD86435844443F3,SHA256=D63107954807CA044A7A65D6E02343020D6DAE6191F51E8038782A5E58FB752D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:20.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:20.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100FEF7442BEFE9CF196FA518AD88405,SHA256=2E6A9308B4CB1AB0F59B45423FE159DA6EFD82BA3A3E15AA2C3BD1D770AAF861falsetrue 23542300x80000000000000001536567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:21.365{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809D99C123EB8823811C9DC2DFC31FB8,SHA256=0F7DE6DC1942B1E54ECEC844811D0BFA8A8BD132CC39888F2722DA6EBE99683F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.642{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28860A958A441F7FB694FF3CD8D5AF4A,SHA256=A3C9FFC0E09ECA2F31E18F31C129E7687C0C2C6BB1FDB3FC3D7832F3DA5B0670falsetrue 534500x80000000000000005438082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.470{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005438081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.470{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005438080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.470{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.470{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000001536566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:14.697{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60703-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:21.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9346E93EF8E4A407F4EA3A378C4EBFC6,SHA256=AFC71AC647AE39E9B764DBB97C1BDB29C606274EC9A1A59FD3F0C818F1A1FB8F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005438078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005438074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005438072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005438067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005438046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005438043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005438041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005438040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005438039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.345{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005438036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005438031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.329{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.314{4DF467A6-FE6D-6138-65D4-00000000F001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:21.313{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:21.313{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:21.313{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:21.313{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:21.313{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:21.313{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000005438022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.285{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7185MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005438021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.284{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71852021-09-08 18:18:21.284 11241100x80000000000000005438020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:21.283{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71862021-09-08 18:18:21.283 23542300x80000000000000001536568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:22.371{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7A7C9CEB0C5FF24D87731CFFA7EBD7,SHA256=018346983891A9C041446A9B0C25347EB47837036602F0625305FB0CDE4A4B1D,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005438204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.748{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005438203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.748{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005438202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.748{4DF467A6-FE6E-6138-67D4-00000000F001}77526240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.748{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.748{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005438199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005438195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005438193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.639{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005438162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005438161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005438156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.623{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.612{4DF467A6-FE6E-6138-67D4-00000000F001}7752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.608{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:22.608{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.608{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:22.608{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.608{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:22.608{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005438147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B27055993D681BEC0C4BBD3A97AB3EA,SHA256=92A749467A73E47F231165C8FD8F20D16ED73B67A1CB97614F399AA67F7125E6falsetrue 23542300x80000000000000005438145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.298{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7186MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 534500x80000000000000005438144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.142{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.142{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005438142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.142{4DF467A6-FE6E-6138-66D4-00000000F001}79767444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.142{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.142{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005438139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF383BFF671BA5C2037FAA190503F5B,SHA256=C670FC9CFE862AEE0F6B2967230A8BF77503253F24387CEB45C9B9905A9125BEfalsetrue 11241100x80000000000000005438137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1195B0948C23B45ECEE0E18C1647C065,SHA256=A1948CC02F4F46C0592388272AB73A2397F8D97E8552C25169892B5D4AAC0FEAfalsetrue 734700x80000000000000005438135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005438098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005438093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.017{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.001{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:22.002{4DF467A6-FE6E-6138-66D4-00000000F001}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:22.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 734700x80000000000000005438321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.939{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005438317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005438315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005438310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005438295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005438283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.923{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.907{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.907{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.907{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005438278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.907{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.907{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.906{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.892{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:23.892{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.892{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:23.892{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.892{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:23.892{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005438269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=394BBE88CBEE3B1B8D483CF2E66CD71C,SHA256=8B6AD4291FAA3B95F94F8162377FEA8C7D3A64B318169570374DD31AC9B257CFfalsetrue 11241100x80000000000000005438267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58137C65D83B5477A222D0EA0316278D,SHA256=4A62C983813C0E6315227AC7851869A16CB4A21453935922EF31485C9E5BC8CAfalsetrue 23542300x80000000000000001536569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:23.390{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBFC081D2F3C2013AF00601119159F1,SHA256=4B0F0B88954C59BBB6BD3F819D768633002279C1DF7560359D38EFA453843539,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005438265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.361{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.361{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005438263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.361{4DF467A6-FE6F-6138-68D4-00000000F001}327476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.361{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.361{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005438260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A88E58837BEF31C81DA90AADAB2C83,SHA256=530ABEEE59A9B0B79D9F71C7DE2478103ED5593435CCF1D58BA7FC14431BB37Dfalsetrue 734700x80000000000000005438258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.251{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005438221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005438216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.236{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.221{4DF467A6-FE6F-6138-68D4-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000005438213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:08.660{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63468-false10.0.1.12-8000- 18141800x80000000000000005438212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.220{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:23.220{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.220{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:23.220{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:23.220{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:23.220{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005438206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF383BFF671BA5C2037FAA190503F5B,SHA256=C670FC9CFE862AEE0F6B2967230A8BF77503253F24387CEB45C9B9905A9125BEfalsetrue 11241100x80000000000000005438391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ADCB8B7D1E316813BA29D766CB169E,SHA256=F23B09FF45F48160F91ADF0AA0F68B6F72E6E9C8BA5F8722BA07526FD0C5D981falsetrue 23542300x80000000000000001536570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:24.393{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A1FD989814F775E617D2B348787AF4,SHA256=8559C4B8934EF4D5C17EF4408C936FF356DDD2218A5099A9B842A1BF821C223B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FBCC4D8F452F03CEB524430DE55EB53F,SHA256=2DC2AD851F3376D2F56720EC2C722E6308204F9C6422BDCB3E6492F5621CD9B8falsetrue 534500x80000000000000005438387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.642{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005438386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.642{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005438385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.642{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.642{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005438383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.626{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.626{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99EB5563F2F943D7157FAAC433D1B2A,SHA256=5FC028252AED06763A4EC2B38BE4F4FEA0D8F3F5814C077C7ADA69F14BED5ED6falsetrue 734700x80000000000000005438381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.532{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.532{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005438377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005438375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005438344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005438343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005438338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.517{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.502{4DF467A6-FE70-6138-6AD4-00000000F001}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:24.501{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:24.501{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:24.501{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:24.501{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:24.501{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:24.501{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005438329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A859BAFDE2C262288974A6D424B8A2,SHA256=01F971698FF43687C68EC34EEAB6E48CC96600C05282E1337FA6E4BB37D633DFfalsetrue 534500x80000000000000005438327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.064{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005438326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.064{4DF467A6-FE6F-6138-69D4-00000000F001}46885648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.064{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.064{4DF467A6-FE6F-6138-69D4-00000000F001}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005438323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:24.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B9A636BA7124F3BEFBAAB29EFFED8B5,SHA256=7E5143A94B3A9CCB82FC6D7E4F24DBBF57FBCF0EF4F8FA423081D12BB919C862falsetrue 23542300x80000000000000001536571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:25.396{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F7A5DBF74BEB763BB3A16FA0D9A0AB,SHA256=E8CB459084C67D35551F675A3E6ABB14964D414A0BE805D8911892AEA4C5E3E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.626{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.626{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163525CE8204344808469B8A1F4E9A91,SHA256=D79809C62FC31232A7A5420A6D0F4426C9745B4F202C78E101F2BC9BF95CE0A2falsetrue 534500x80000000000000005438448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.329{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005438447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.329{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005438446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.329{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.329{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 18141800x80000000000000005438444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:25.314{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 734700x80000000000000005438443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.220{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005438439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005438437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005438427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005438409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005438405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005438400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.204{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:25.189{4DF467A6-FE71-6138-6BD4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:25.189{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:25.189{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:25.189{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:25.189{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:25.189{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:18:25.189{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001536574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:19.780{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60704-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:26.460{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CD4640009BCADC8C56B523E6851D04,SHA256=952D18D7CF6F4BBE3C29D2EA2FCEB0F4F0E6CDD565A4A1C57256332E756BC4AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:26.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:26.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840AE0C6C5571706974318AA30CAFCED,SHA256=B2AD33CC17075655048A5EAAB30F7F01BF76BE1C5CB08E737D75F6ED783395C8falsetrue 23542300x80000000000000001536572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:26.160{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90CB4A4720D676019FA6BC473EE4F6D7,SHA256=5DF57D181640B109F03C832566E62440594F00F7E883257D7CCA5F08CA613132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:27.479{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBC49A0543D1EBF9DE4F85C62253050,SHA256=94EBA04D4E45775FA81A72AAE76817C1DF997CC8693C34CE87A17835E5269787,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:13.675{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63469-false10.0.1.12-8000- 11241100x80000000000000005438456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:27.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:27.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2330B3E8181CCE17EC568EBAA9A7DE9D,SHA256=BA256F2ECAFAA4FFA2ACEB213B945BE0A8B858DE2525841B3C1131137E10E2A0falsetrue 11241100x80000000000000005438454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:27.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:27.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DE49EC75649D007663A82D7983FA4D,SHA256=FBCFACD95FDA221B44421BAD0D56DD71C683568F128B66254E307BFF97D78DA3falsetrue 23542300x80000000000000001536576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:28.502{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E277392886569785320DC56AFF0B2517,SHA256=F5914A0992031E2C9B79FC64B91C21C6DF8E2BFAB4D2A2C27730D8D4E580120A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:28.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:28.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5569EE9F25AE1760A2689DFC983966B7,SHA256=27B4619A16156F1626255D6664B5C98573498EF035703C41D54E518F7D74A1E7falsetrue 23542300x80000000000000001536577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:29.504{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD29613849D50C91F28C9466D19ABFF1,SHA256=DC8E3FE74C036D0D67332F4C0CA9BC9265C6DA00FF38AA531C39572BC3CCCC21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F65592961B4E7EE78EA3DBDDACD21CD,SHA256=303A8A89CF82DBC487FCC427B639D56BA4FF0255903BDA2A22196F3D4BD6E998falsetrue 11241100x80000000000000005438465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594704E94575849BD9BB237EC05E31CD,SHA256=DE780A5940B9F7C4E8423F9F2E54523AE9C445ABCD13C6BEDC73AD53629B08FBfalsetrue 11241100x80000000000000005438463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62A15BB5885FDE7838E0593A149BCCE2,SHA256=507792039B43621836971A7110E637C40C9D7A999F17378F3A71E253AD7E6A60falsetrue 11241100x80000000000000005438461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:29.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13C0F3FEFE99DAF9B3A09E6614A61F14,SHA256=5CE55C561C1EE2CCB232B8E105647C8473768B401318456D508150231338D443falsetrue 23542300x80000000000000001536578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:30.506{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C6354CD47CC8FE4AD852CCE2ED6BB2,SHA256=E947703F07D3C48C4304557EF4C7CC3FB47D0E97788AB40641ABDAFDC24EF69C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:30.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:30.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDFD6F1032972CA698B7956FD062C52,SHA256=0ABFABDFD21ADD900DF0D5680B1B5BDD84032DBAF6C734A28576B0FF4A27EA49falsetrue 11241100x80000000000000005438469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:30.301{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005438468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:30.301{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1C4B7F5FAC00ED3473AB9468B181FEB3,SHA256=E55C340563F87747D2B600FCC52B8EDB955DB9F1239DCB3E3BAC77EF1CDA79A6falsetrue 11241100x80000000000000005438473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:31.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:31.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E2C703FD204747A375EFA941FFED8D,SHA256=2C8E32D8651E87367491CA5FA5E81D70B2BF8A97F46B41A0D77EB820C4CCA1CAfalsetrue 23542300x80000000000000001536579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:31.509{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A614CE084E0E28EAD602222F359A19D0,SHA256=FBB00E1BFB530FF45D60EBFDC3FDF570F67D170966B1C1E44EA94638C8A1A71C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:32.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:32.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797A2079E6A7C62A42BFF2E1A3F00E06,SHA256=ADBBE5E08186A6809A2C64AE2C7D3F2F98115249DDB57D378A77C4824F4723EFfalsetrue 10341000x80000000000000001536591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.573{AEE49BD1-FE78-6138-61CE-00000000F101}26362852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.511{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A014429797AD2D44D1626C78BC3674C,SHA256=A3574598C5A1B967C9A96CC1C1C47F334138D33D774280CD13F09C98661C9A8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:32.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:32.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9482D9040C97ABD4410BC693FCC9B63,SHA256=B91656BE76BAAEBD03C9C2C24ADA641F8432BB0233F178AFCA06F93F2562A001falsetrue 10341000x80000000000000001536589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.458{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE78-6138-61CE-00000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.458{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.458{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.458{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.458{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.458{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FE78-6138-61CE-00000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.458{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE78-6138-61CE-00000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.443{AEE49BD1-FE78-6138-61CE-00000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.041{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C835D2CB74C14F7AC58F1BDACED94A09,SHA256=5697AA1CF458AAA0E929747119D7BD938AF584369D1865CE44C8E6D319AFA50A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:32.041{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC8E659FCCD01E99ADA0E9C21D02C73D,SHA256=11F931D18DB597513E39E676A5F681F50ED8A43B60A180652A5342188CD65624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.773{AEE49BD1-FE79-6138-63CE-00000000F101}32844808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.658{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE79-6138-63CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.658{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.658{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.658{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.658{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.658{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FE79-6138-63CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.658{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE79-6138-63CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.644{AEE49BD1-FE79-6138-63CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.511{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BFCE4889C18CB1E7694A2207A208F5,SHA256=DF2684268632719285FB7134D9B5291A0433E29395AD28CC309AF669D55825C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:33.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:33.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD7196490A7D293304EA84691D440CB6,SHA256=5F7FD8092DAF72F3F587C159BE37AB457E0B6B3DC225830E5E01182184F72712falsetrue 354300x80000000000000005438480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:18.678{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63470-false10.0.1.12-8000- 11241100x80000000000000005438479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:33.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:33.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19783739551AD7949EA4520E0943961,SHA256=AA5D5487E1CCFD5C8B2FD7C170C40F5AEFE0C98C1853D0EA23F1DB6B3E8E4076falsetrue 23542300x80000000000000001536602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.443{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C835D2CB74C14F7AC58F1BDACED94A09,SHA256=5697AA1CF458AAA0E929747119D7BD938AF584369D1865CE44C8E6D319AFA50A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:25.693{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60705-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001536600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.274{AEE49BD1-FE79-6138-62CE-00000000F101}59361724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.143{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE79-6138-62CE-00000000F101}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.143{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.143{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.143{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.143{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.143{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FE79-6138-62CE-00000000F101}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.143{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE79-6138-62CE-00000000F101}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:33.128{AEE49BD1-FE79-6138-62CE-00000000F101}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:34.644{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=835E1AC51B1A73266CA11EF8F15B117D,SHA256=603648686B5A00BA6FE5FC2D2E08AEC4D76CBC7975C17273A206999F67830E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:34.513{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF59F68A010C80B2216B6EB957D474F,SHA256=6E6ACB22C420146487D4CF6C7DE6ED2FE158C1A7C85A7DE1864A0A48C975CD5D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:34.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:34.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B96E93DDE5FF9EA65F23AF1CEBAA82ED,SHA256=FC1A7ED9C1BF545587B0F5D0DEB9B2D94CB862B861218F173031B16057A79E10falsetrue 11241100x80000000000000005438486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:34.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:34.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D127F6ED0255323C59560F70A053110,SHA256=C40F32C55ED138CE00C391A97413DCA4521188A89ECF192F60EA87CB31D5E3D1falsetrue 11241100x80000000000000005438484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:34.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:34.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D65F89C760ECFA148E0B2FE4A00F4EE7,SHA256=46761E5377C8E819C90CC3546D6D7A225663740C6672E5EE552A5A0CA74AB060falsetrue 23542300x80000000000000001536615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:35.516{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF2D7FC07EB885B2F08C36AE42A6AC0,SHA256=2194A91ABCAF6AA4702F164119FB86CEC3C42FB6953DE0B3752E44EDE55034E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:35.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:35.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634B8D53640187F9AACDE4C225257771,SHA256=986BEC1E364AC82D7B36366832D1CD4C056A7EA1665C0D20DDBB107C8384C5DFfalsetrue 11241100x80000000000000005438492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:36.613{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:36.613{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF48F54EF276B6E3CAECC2DD5EA24BF,SHA256=C1ADA532C79C28AB1028F9D19AA4279DAAB57F76AA6AF0675FCF47DE46723DCEfalsetrue 23542300x80000000000000001536616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:36.518{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F0BF34F2E9718FDFA1FB93F444CF8,SHA256=DD0C210BBDF4964E32316A8BF82A6191C4E17B06CF946518787D494164AF9387,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D4FB3A2C81F3E1C8C2C2995C328091,SHA256=6E25DEAD4787AAECC18241F4A5A26EA007F442042F8BA6CBFC90C805EB7B28F8falsetrue 23542300x80000000000000001536620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:37.686{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7176MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:30.802{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60706-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:37.521{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF672061D140A199EBFD48CD1FF3E92,SHA256=896688F771DA8A4017D22A0AC319B67C47504BF29DCC7980EA2FB583E02CBF9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2119AC92819D3A713D49F0CCDA85479C,SHA256=F26371B8DAC7BA227132A44C13F1DC254EB2CAE5EF39A0389D2964E6C60B19BCfalsetrue 23542300x80000000000000001536617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:37.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D8AFDAE3AE7A9623081E43F7D034E72,SHA256=EB224776D59C9CFC0B1FF733794C8A1FD149C172EEF01BA16EE253A31B0AB9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:38.686{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7177MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:38.540{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D293A321D6FA150DBEC074453A1975,SHA256=A04847E5E2D5DB981FC5E2DBFD98776C0E188A59F1D77B4D9FFB34249D0DC736,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:38.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:38.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7790FBF64C8E042995EF43F16AC2EE,SHA256=A4400875CB81BDC7DF458E8EC69B8693C7945B3ECF9A15C62CF01AEA90983C4Cfalsetrue 354300x80000000000000005438497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:23.709{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63471-false10.0.1.12-8000- 23542300x80000000000000001536623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:39.542{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34E59D471BC342AE5B08ACDE891D9F5,SHA256=43F912256A18547EADECA57D4BD8BC97BFC98B1228BB0B0991A17B3FF9DEAFDB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=71D760B9736D425E8D7204C44803E83A,SHA256=B7137D4D27130CD3AA7F0CAFDAF2BB5A19D29C2471B6F7F2E0C95AF82AAAF26Efalsetrue 11241100x80000000000000005438505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A418E72C9247F48FED6A9980996E3496,SHA256=E8D551C0BDFB12DF7AFB12D02D41C8C95DA17C06DFC207F20084A61CC00F53B9falsetrue 11241100x80000000000000005438503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C669389DF77289B3ACA248C552610E92,SHA256=C06ADF16B5627449F8E5FDCB759366756353F8080C784A42649809FD8AAF1894falsetrue 11241100x80000000000000005438501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E2F0CE75FEED4EB80A1AA9F4EB3EDEA,SHA256=9FAD179DF91C1668A0313EBDB81FFDF93DEFFD38D8B7C136D9B09F51E5C08B64falsetrue 23542300x80000000000000001536624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:40.544{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6714CF7CDC7F207E34C131A397DD8C,SHA256=FD0A7595ECA44198406EAB9047A259956F2C59F2721BD85369B79EF541F2A944,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:40.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:40.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A5CEEE3AC77DDEDC114BE252D34C65,SHA256=62282B23E4AD495D1691EEB2AF427743BB700D9D29DBC1425D4B3415B19BFE62falsetrue 11241100x80000000000000005438512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:41.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:41.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9296220AABC6430ABE26A89AED84D193,SHA256=396051F420D5280F52A20F5F986F512C63AB08F80AE219083898E7421247AFEFfalsetrue 23542300x80000000000000001536625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:41.546{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B725E06041F44D4D8924CF3897B3AA84,SHA256=2774B82B0027F861A340955A9E95942778588F13A74DB623550DCA8835B5A48E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005438510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:41.004{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a4dd-0xf3760a45) 354300x80000000000000005438519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:28.725{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63472-false10.0.1.12-8000- 11241100x80000000000000005438518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:42.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:42.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E532E8E582C913E96551FE37F6641122,SHA256=1133F02C146E781BBDC7B00D53CB9E9BEC98601B134937782B54CB54FFB67F3Efalsetrue 10341000x80000000000000001536634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.665{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FE82-6138-64CE-00000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.665{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.665{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.665{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.665{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.665{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FE82-6138-64CE-00000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.665{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FE82-6138-64CE-00000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.650{AEE49BD1-FE82-6138-64CE-00000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:42.565{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B1B9F3AFAD816A210538BC0EA96D18,SHA256=8A6021AA328596F7923209A95A319EADB95E376A33AA3CAB405C9F313273C07B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:42.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:42.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39E6FB399112CBC60037BA1C6ED3C7A8,SHA256=6DE232E3F8B747C1D78B17970067B0807021E3C6791327FA04864498F58B5556falsetrue 11241100x80000000000000005438514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:42.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:42.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC97AC6DCBB1D11167D64EF31BAFE742,SHA256=2D62385924AC3814765DDAE16E9C6C36C953635678191ED60361375FA85255D0falsetrue 11241100x80000000000000005438523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:43.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:43.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C43CF0F5DE3F02F3A9513F07D672FA,SHA256=1787933D79AE2EDB19F988B12F2071EDE623DA0723C672BE8D2D2A3679B6DCE2falsetrue 354300x80000000000000001536638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:36.666{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60707-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:43.566{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B1EE852B89215A886B7E7A0C7FE8B6,SHA256=124BE70989623CBE18345ED60A4B23F7D51AB4E6B7D3EB7A742A8ED16763224D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:43.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:43.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39E6FB399112CBC60037BA1C6ED3C7A8,SHA256=6DE232E3F8B747C1D78B17970067B0807021E3C6791327FA04864498F58B5556falsetrue 23542300x80000000000000001536636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:43.016{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0911A52B12DA734B057F2C49B4B07A,SHA256=179C7B9B01F6D03568F7776668C1B8D61D4AE2944725E98BF768B51951C0F396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:43.015{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AF4E413770658DA4205F44C7F3280E7,SHA256=A1754D10D6C27B7303A2882E49BAF9001CAECF9C36334F7D67DF58658EDCC7E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:44.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:44.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECBD03F2C8FAFDE69602A04873891BE,SHA256=B2005533BF05572C0FEA3CB5C4C6EF13FE2A3CCD289A0FDB7E2EBE67721D864Dfalsetrue 23542300x80000000000000001536639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:44.569{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9727E9B50545441B8C064B8B1DCBB60,SHA256=23D841D64F08065145C37743ACBBD6E890383C640CF2EC7974884BAC53F3AB37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:44.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:44.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7BBEE30E8DEC7992CD6981EFFAB49EC,SHA256=D9F296C3FFC58E6B870A015B0DBB9D709BB606256C64AB5C47501FF6EF3D26E1falsetrue 11241100x80000000000000005438525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:44.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:44.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E33C6744F24EED54A5194B02B9B4ACB7,SHA256=5583811AE8E6D99843A3C404EEDE45EF545E815FCC36AF5CF5C380C48E788CA3falsetrue 23542300x80000000000000001536640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:45.571{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5E74B959FB17F267E32872F0F495E9,SHA256=13AA5B21AF306CD2374FBF4C0023F0E157900E311C7091409CD7812C25D761A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:45.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:45.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF56C99106D316307E360599606A1D1,SHA256=33078545EE371009250728450BDFB6F07DEE22FB007D4DFE75F559292A0A511Efalsetrue 11241100x80000000000000005438531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:45.035{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:45.035{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D69636ECAE6E00D8F2D5065C8218DFD,SHA256=C44349C7941DF99BD62BA90D6B812F3FE5F08809CDDECB51B3971128EC9ADDA8falsetrue 11241100x80000000000000005438535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:46.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:46.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B975C60582ED8429063DFACAA26604,SHA256=65193257412E23FABC76D43EFBA85A67EB9F580BB7E1BCF74D3F6AF7A9FC0B5Afalsetrue 23542300x80000000000000001536641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:46.573{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EBCC1EF3EA39693769EAA4A1EB4C04,SHA256=1AEEEDD5CB3DD1E723663EA6E8360EAF90A5B7452E87193078AE82540F771075,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:33.834{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63473-false10.0.1.12-8000- 11241100x80000000000000005438541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:47.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:47.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB42AD35E73D97D130244D965B0E522,SHA256=2BC256B9BBEFB6E0550FC4E6DC1BB84DCA9AE9DD277811B43A5618D9CBBB3FC9falsetrue 23542300x80000000000000001536642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:47.591{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3676AB841688B8D6FDFD882BB706A9E6,SHA256=C13C1A1576CDB7B2B83D735916E9344E227184033448F5C69321AB1BB5FD31AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:47.783{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005438538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:47.783{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005438537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:47.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:47.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B440BF31C4617662E48F8EEA5BCD5EEC,SHA256=B3A8CDE83A6BEAE54F6C86BA9D0CB4F5F2EF4CC35FE6A76FC865F88EA4BF3D74falsetrue 11241100x80000000000000005438546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:48.845{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:48.845{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3EF65D06D0CE227BDC7406E0529D58,SHA256=F1BD156912E384B9A064A523463609B8F1B8FE65B5F237906C96EAB1BC608298falsetrue 354300x80000000000000001536646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:41.827{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60708-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:48.593{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C6A7DE96979422EE7661575477AEDB,SHA256=74F6F2BDC3885F06D9DF53998E96B10CF5D489D1E0DD4EC4C2BA5752E0B0EC28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:48.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:48.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F0FCA7191FCA8FB9FC22CDAB9BA7847,SHA256=4AB424997F01E114F5AD59D291D7EBABEF588F8AEBD7A7D7AFD634CF4A219413falsetrue 23542300x80000000000000001536644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:48.176{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B31F8AAB4688275076AB40DE0496079,SHA256=1468CA568283DBAE7A301CA2C234CEBC993B5E6E227A6246F7BE716938983A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:48.176{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0911A52B12DA734B057F2C49B4B07A,SHA256=179C7B9B01F6D03568F7776668C1B8D61D4AE2944725E98BF768B51951C0F396,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:35.410{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63474-false10.0.1.12-8089- 11241100x80000000000000005438589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:49.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:49.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5706633047AE094537E561E07160F9,SHA256=65F607E1961B4C2F582900DE501EFE2A3E4DF44C973C70AD70EDF1AB49B7DF3Efalsetrue 23542300x80000000000000001536647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:49.596{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C36D1C52C7B493B20FAF375204BDBB,SHA256=891D45DBB9E5743AA1E5ED6C37FE4C1C3C7E2DB3DAFD8372C28F01E229EF5D53,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005438587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000005438586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000005438585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000005438584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000005438583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a4dd) 13241300x80000000000000005438582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xf8890821) 13241300x80000000000000005438581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a4dd) 13241300x80000000000000005438580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xf87857aa) 12241200x80000000000000005438579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000005438578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000005438577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000005438576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005438575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000005438574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000005438573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000005438572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000005438571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005438570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005438569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000005438568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000005438567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005438566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005438565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000005438564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:49.517{4DF467A6-3F46-6132-0B00-00000000F001}6367488C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000005438563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000005438562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.517{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005438561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005438560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000005438559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005438558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000005438557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000005438556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000005438555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005438554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000005438553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005438552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000005438551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:18:49.408{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 11241100x80000000000000005438550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:49.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:49.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EEEA673EE3790A0562D50AE46EE13187,SHA256=FFB35847C4E2354B9685B46CCB1AA3215C11C410369034C8C58AE92616B5427Bfalsetrue 11241100x80000000000000005438548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:49.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:49.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAF1D35678864BBDA13A6995B32158B7,SHA256=85BE0D74C6035948345BC935E589D32C85D07E69241DDA55D78B3DF568650FBDfalsetrue 11241100x80000000000000005438596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:50.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:50.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839F996D0BC051F63C457FCFB14990A2,SHA256=C917A4B97FE09F4F5B66391361917A11B9BD9E79D487AF488B7A658ED514271Cfalsetrue 23542300x80000000000000001536648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:50.598{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADCF4B5E675C099C2DE413CC12D82EC,SHA256=D84AD674AC2AC5430D8FA76735E64C98C2F1EDC9B0C235A03285317A6D50F419,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:50.423{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:50.423{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B66272DBED997E5DE3B4E272AB45702,SHA256=157D876017DABBC0F1BEFA919E876272167FAD00BA66E71E3FF24AEEEDBC436Afalsetrue 11241100x80000000000000005438592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:50.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:50.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=68C8D191912837DBDAD77B2CFF9BBF9A,SHA256=20AE042351F31048AB14AC80EAFA10460FD5E0A64AC98E0DB038CFAFE9A5ECDAfalsetrue 23542300x80000000000000001536649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:51.600{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44478453E45D2A3656A21A42A642D6D9,SHA256=79F446E753E7F0D2977F381E1FDC9223672816161BDBA557685EEF1583D8B920,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.163{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63477-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005438601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.163{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63477-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005438600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.059{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local63476-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005438599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.059{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63476-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005438598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.053{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63475-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005438597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:37.053{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63475-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 23542300x80000000000000001536650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:52.603{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C02864FEAEE51B8570AC9D00E1DBAF5,SHA256=FA6CF34492B784DC30AEEF1EF70C433A8BC4D3FC3594E1438EF32F79901CF548,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:52.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:52.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5DC03C8BBFE47491041F9360599F13,SHA256=FEB2C9D8C5B391E03CC7B0B606858923C2937AB0F3BE40F465C22C9063E194FEfalsetrue 23542300x80000000000000001536651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:53.639{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346E4B292D00C29E537903CA009E215F,SHA256=D0BACC255A2C3B0DDA0ABECFD79A6C8C8766545073432C95DB378BD1C3270ED2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:53.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:53.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1C7C411C7A9AE5EA217F00B89AF343,SHA256=64941BAFF3D1FB0D1E5F87DCA52A5FDE43D68952AF339646B0EA0966F7FBF42Ffalsetrue 11241100x80000000000000005438606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:53.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:53.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43ACD734E4362A453B0676F424131A67,SHA256=1EC8677F5354AA289528C1D1D7681A2FB037F029E3DD084CF4E02431645D01BFfalsetrue 354300x80000000000000001536655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:47.727{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60709-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:54.641{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBAE2EB817EEA5AB9DB678A223B43FA,SHA256=3F1C177C3AF382944D352016168A29611BCFCD7B19CA7CB95FB0493BAEFE4163,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:54.673{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:54.673{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4068168DA89EE243C7C18747C0020ED9,SHA256=DB7255021BF8155FB655DFA92754F866CDD41DF349B167DE1422CA3A81B4CC0Dfalsetrue 11241100x80000000000000005438613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:54.580{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:54.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=21ED5C31CDFD7EA147BC2B45BA8E7C22,SHA256=0FF2B8864C8C15B8B0655FECA57021BC187BA31E1CDF251223A0AD251F4BA9B3falsetrue 354300x80000000000000005438611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:39.831{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63478-false10.0.1.12-8000- 11241100x80000000000000005438610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:54.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:54.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FEB5AF72AF08ECA74C97C7B046153B,SHA256=4066557CBE86F29F413A501BAFD513036BE54C4F3044FAD8172D7C95142AFF68falsetrue 23542300x80000000000000001536653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:54.091{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B3D0D5BC0BAE2F7C5BAB9D198828EC3,SHA256=E747D78CD6FD49157586290A31104B0301A538C605787FAA552BB3CC07614578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:54.091{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B31F8AAB4688275076AB40DE0496079,SHA256=1468CA568283DBAE7A301CA2C234CEBC993B5E6E227A6246F7BE716938983A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:55.644{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BB92FBF9716D4D2D37534DC131650F,SHA256=0653B40155662E88B768B4228283A8DC5881C197312764C788902E1E283BBFC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:55.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:55.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7973DCFF18832CBEDE9A0DCC0C51CFBB,SHA256=E285E281A42EA1F26170B510A4BB4A9D69331BB5EBFD24D3FFC5D8D469D7C349falsetrue 11241100x80000000000000005438617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:55.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:55.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64B1EA3074B97677127B634922F23DC4,SHA256=A94BD6E8A5AC0F347746E27AD6B6A0DD3F401357BB7873296617D127C01BB36Cfalsetrue 23542300x80000000000000001536657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:56.647{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA8D26B9638F82650521BC3BD5575C7,SHA256=C243E5CD58740ACE5C494CF6827F49C3F8C4CE6AB4583A7C5ADDEBF4626C052B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:56.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:56.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D782AA39DF0E13EB7E35DB5F0DD290A,SHA256=E36E318010D6153D604C08CDF25B8FE6C3E4250349D4586A9BD1FB2441265350falsetrue 11241100x80000000000000005438623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:57.345{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:57.345{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFFBEDA8B7EFD25C9907504EAD08C29,SHA256=B3ED71C83AA5A6A0BB52223DC7896F1636008B869548B248986BD057DFC5E512falsetrue 23542300x80000000000000001536658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:57.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686337D9DB8D55B44B5530F231C5107F,SHA256=01900D14F4B551E9D7983C35467F9EF2831C0FB3BE88A62AB97F24FDE649967F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:58.652{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710C1903C547C8DB0B0812C956B46ECA,SHA256=0AE2EAC0746F2D2DFAE33DF552AEADD1BE58D7E09A29FAC86400B5DDEB224403,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B92411374758CD7BCBE190BD272AC3,SHA256=08AF368711A78789E58580CB087DCF9C1E0D0EC01253E32AD59360938B43FCCDfalsetrue 11241100x80000000000000005438627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76D1293CCFBB0D0A48C398ED0CE8E2C2,SHA256=15A73B0599028F5F977CEE87BA55F150DDC2B2D6584A599329DBEED9834976A4falsetrue 11241100x80000000000000005438625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0CE7E36CC1B7CDF34AEBC7715E9D6E8,SHA256=5870E4D446E8C05D3614779E441250F480C28D558B83AB38550BF16B05DDC4ABfalsetrue 354300x80000000000000001536663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:52.802{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60710-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:59.656{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2D152245B97FCD19E73E9E79A90AC8,SHA256=E0874710C272AE6E4D6B846AE253BB3E165E81E533DBC4B117E77F37F386B7A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:44.878{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63479-false10.0.1.12-8000- 11241100x80000000000000005438635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:59.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:59.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A63555DD0A37D22474D358DE30160D0C,SHA256=2138D81C9D142E218779D63E92A28F981C9FD89D85F815B34D5B7E9171C98F9Cfalsetrue 11241100x80000000000000005438633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:59.423{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:59.423{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D6C09A7F52D9DFD0BC12F39B623713,SHA256=7C1DDA465498790217CBD4805FF25C1A6A3AD57D7457046DE9C634F532124DEAfalsetrue 23542300x80000000000000001536661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:59.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B64E9D5B69FB0CC550A7495BC44746B,SHA256=3B7F9E9F797536AB951FAEFEE9B3019E15E6D99C0D3F1D836250431C91D618E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:59.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B3D0D5BC0BAE2F7C5BAB9D198828EC3,SHA256=E747D78CD6FD49157586290A31104B0301A538C605787FAA552BB3CC07614578,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:59.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:59.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7854E988F5CBD38D2809B0DB60301B15,SHA256=8E289D0148C16F5133579A3531D73360F470A2DB8DEF8C4E739F0BE1AF9BAA88falsetrue 23542300x80000000000000001536664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:00.677{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CE38B9D6C590E1DD516A95BE58791B,SHA256=DD5D6CA69F8DBFA753B7E15087EBC88D08B39C017D8E8FF4621A59BEA4BFE1E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:00.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:00.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5736ED06B5A85C9D2F3DBA6D07A62EA1,SHA256=88E337759958583F41B544FA34C3FC0A9792BAEA6C8D2BC32BE9F02A2E1C4904falsetrue 11241100x80000000000000005438638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:00.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:00.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=37EF11A35A581FEC6F309DDFE2D2E228,SHA256=FB2CAE41025F5DFBE602B79DE42D3D3AD18703CDBFAE0B734EE276CE398B9704falsetrue 11241100x80000000000000005438644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:01.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:01.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83948E2A858A625085B8E1A907632BF,SHA256=0E551A1C441890690DE5B943E50C75B85EEB9422B9E9F6A45CCD1E0654405B8Efalsetrue 23542300x80000000000000001536665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:01.680{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CA89F761136A2253E1F29CD4AB9B7C,SHA256=94EA65DAE76AB5A62148BB82F557B98D0FEF3934437A398BFCAD147364647A54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:01.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:01.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76D1293CCFBB0D0A48C398ED0CE8E2C2,SHA256=15A73B0599028F5F977CEE87BA55F150DDC2B2D6584A599329DBEED9834976A4falsetrue 23542300x80000000000000001536666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:02.683{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FE0A30D769683276FCE0BB4BDE0A2D,SHA256=C0227329258DCA9FB43192C0DF60FE67E4B7169523172C802BCAD71282BFFF39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:02.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:02.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C543A45AC0CA8559CD7D331BE08453,SHA256=007E768322EEBB89DFD6851F0EDBE1D0C73D9ADBB9BD0AF99A62282601E9296Cfalsetrue 23542300x80000000000000001536667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:03.687{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B5FA82E03820FE4EB8584D1340908A,SHA256=05D9E697831DDCE2DF31D172DE5487B4BA8598B14A087C5549B71DB523A03080,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:03.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:03.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE461C3314F9EBA4938482ABECABBFFB,SHA256=D287350A13729A2B4F19402AD11F5BA46AF5D54D6DE7AFE468C1BA3634F607FFfalsetrue 11241100x80000000000000005438648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:03.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:03.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=190ADCE101073F744FC19F05EB77053E,SHA256=FC4C46F0BBFC8B60519F0DECF860721E4B7551B38CB6C5006B60377B9596963Afalsetrue 11241100x80000000000000005438657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:04.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:04.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=989AC04D99CE6C9223326AD735A5BCA0,SHA256=0D2C5A03FC0277529F6F625AB6AE1FADE8980F54C2A99D38A922330BC8034606falsetrue 11241100x80000000000000005438655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:04.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:04.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7AF540E1CD6CC414322BC912B1B48BD,SHA256=AA380F508853F682E4C24AB669696074C7C51E5C82614939AF28AEB88C75C8D5falsetrue 11241100x80000000000000005438653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:04.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:04.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA6BE8C36C1682D58407412DCBD4AB9,SHA256=988816DB9CC9227F451A0F736E4820A1452820170C03604CB484AA5D96ED4B12falsetrue 23542300x80000000000000001536668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:04.690{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8904EC7033F41A1AE293F2A7752328D1,SHA256=434FBF20A156965ED26B8DC3F3D6E359432F9A4F092A1B587863419280EE2040,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:50.768{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63480-false10.0.1.12-8000- 11241100x80000000000000005438661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:05.861{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:05.861{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668E72F9AD6A0356ADEF030EBB0DB261,SHA256=3408F7B5C9668F0CA601BF43DAC95465C61FC1923B792FFCE824D8DFC60303BEfalsetrue 23542300x80000000000000001536672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:05.823{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA8A8C34EB1E31768DFF5CB44DC05562,SHA256=986953069503C360119BBBE06BDF4C55D8A0378F5BEF963910F4A7B2AC3723C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:05.691{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534C201BF76FBD15F2B98069CC07DB8D,SHA256=32376BD7C0BE462AB58336A895D76DF5CD5B9C8376B7DB0D55D21120C0E572D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:05.283{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:05.283{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4687670C653819F4DD65151FAFC197D6,SHA256=80E7B3A7CFD3B852CF52F4F9B9E2A97D685271E63AA5F881C54B26519B849A18falsetrue 23542300x80000000000000001536670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:05.053{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DD7389B1B4938888C8C69C2E283134A,SHA256=0229C9CF91ACA881574E078A28E5B7ED40DCD5A79011FD42F72F1CDCF870110B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:05.053{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B64E9D5B69FB0CC550A7495BC44746B,SHA256=3B7F9E9F797536AB951FAEFEE9B3019E15E6D99C0D3F1D836250431C91D618E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:06.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAB37AB80FB413FECB6E571A67EA4ED,SHA256=43EFEA6F56983B9FFA3CEBA542B7F90A66C3D0F12BF8E3B67CDD622D1127F8E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:18:58.704{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60711-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:07.697{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF919876E24717458970BB66406BE66,SHA256=3A66101AC890CBED28ABC32683ECC6612C5532BDC82B4986C58FE546FFDC69E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:07.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:07.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBEDDA0D2F55BB96FA449231273F3E4,SHA256=1C5F4BC81286D5751EA72B0AA6F00F38A3D439F49C08BF594D1ABBD0033D0595falsetrue 23542300x80000000000000001536676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:08.699{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D55F972C7526C49811C8E1BB4DF9063,SHA256=EECD5D90AA57B8C0E8C0A41467F12D2C98712A16CCF760E99553F55FCDB882AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:08.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:08.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D017A4D69703902272F91C7F7C2437,SHA256=89CDCAA2B52191A5866DF2F46108509F5F6039BC8276465C39F600E2FBBD92D5falsetrue 11241100x80000000000000005438667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:08.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:08.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D48774A600892F3DCDBA683C01ECA5F,SHA256=9655C131B3EF93AE53D32149C8EAFE71D028C921805DC2BAC9EF579428F92D71falsetrue 11241100x80000000000000005438665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:08.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:08.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674DA663802E43849AB63947A0DD6AC2,SHA256=D752891746EAF0B1FC05E9F3FB8441D29020B8FDF8C0B69457AD0F0E5BF459BDfalsetrue 23542300x80000000000000001536677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:09.733{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E53EB0B46ABF73739C4DB49223D182B,SHA256=4274A9306574F91A9BED58BDD74E2DD7666E254072404BF33FFD3A490C3EF221,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:09.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:09.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=435F101BEAE5C2C9742D8BE964324968,SHA256=2ED9BE73AC7EC5BF8F8CAF4D845AD89443974B53B9D1BC2782993470EB14D532falsetrue 11241100x80000000000000005438673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:09.501{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:09.501{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=676BFCADDD9AA9F1A6986D3AE830D78B,SHA256=5BE33D8AD0C8C1912966D41EB4EABB68C093B4A1908B726816AAF45FE7B68376falsetrue 11241100x80000000000000005438671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:09.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:09.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1E2224FB8ECCFE845F19F615448B2D,SHA256=F04A85ACB297E29B990E3596AA96EC0B6EC85AC1D19A20B680E67D3E3DA24C9Ffalsetrue 354300x80000000000000001536681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:03.785{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60712-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:10.752{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4279F780B08D8CBCB941A9CBB5CAD21C,SHA256=D1948DFF5023B576955EC1D687F6CF69A0A8B8F019393953203E12D0CC3583C3,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005438686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:10.922{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005438685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:10.922{4DF467A6-3F48-6132-1400-00000000F001}1056\lsassC:\Windows\system32\svchost.exe 354300x80000000000000005438684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:56.705{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63481-false10.0.1.12-8000- 11241100x80000000000000005438683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:10.297{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:10.297{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=17D494E7F77794E516695312DB3926E3,SHA256=74BE5A4091C82D71262BA96232632723C4FA6A9965128C1F60CA681EC01502BDfalsetrue 12241200x80000000000000005438681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:10.297{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005438680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:10.297{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005438679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:10.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:10.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5F269F3F0261EFF47A4BF08C8BD0DE,SHA256=FABE4AA6D84097FEA03050C85DA170EA3D03A1DD12843CE788F9E50920E02423falsetrue 23542300x80000000000000001536679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:10.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5AA24C9FE38ADD6EFEB8EFA5D56963C,SHA256=82A96FEB3EBC6C8FC8A1A90EA93DA1010D6E4A058F80874344BF58B9AC263A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:10.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DD7389B1B4938888C8C69C2E283134A,SHA256=0229C9CF91ACA881574E078A28E5B7ED40DCD5A79011FD42F72F1CDCF870110B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:10.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:10.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D017A4D69703902272F91C7F7C2437,SHA256=89CDCAA2B52191A5866DF2F46108509F5F6039BC8276465C39F600E2FBBD92D5falsetrue 23542300x80000000000000001536682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:11.755{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106433570D7E2E9DB6FFDBC13FC99D05,SHA256=A56DBCAEE6989D1C18376D41EB59350366931248C4B6E833756290F0014487AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:57.939{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63482-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005438691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:57.939{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63482-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005438690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:11.313{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:11.313{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE494F849B6B66C6BE7992D68F9AB027,SHA256=8580645BA3B53DC5B0FB0E43ED17CB9CF8D855A9DF5C606A6AB962EC21B7B8EBfalsetrue 11241100x80000000000000005438688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:11.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:11.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45544FF7CF67F33294429901C31A4EE,SHA256=55CFC731F19517B8F728B4B926F672D205083BCA08B341AD133A060B44B96D89falsetrue 23542300x80000000000000001536683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:12.758{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95481BF878D489351D6C69EFBCC9794E,SHA256=358EA04DAC47A808F9A70B2E946A73634C7B3AA4688EB7C08A6EAE53C67BD5E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.566{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63483-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005438695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:18:58.566{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63483-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 11241100x80000000000000005438694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:12.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:12.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF2419451DBBE72E0132ECE483C003,SHA256=CE259659DA66C012655BB36C3B144AFDB9CF82E8E7DEA8CF5BA35737DFEFC801falsetrue 23542300x80000000000000001536685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:13.797{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B052E4E7B130778F6D81D80DFB5C9289,SHA256=7645977108B571C39C9103F21109774C2E3AE5F4F70D9DE9D16A4497D87167FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:13.172{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:13.172{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C95956EEC34CDFD92FFEE85513883F0,SHA256=0D37B2C5AB37CFA78EBFC975CF818AD86B7BF16C3E3C5DA9CBD46D74307DB340falsetrue 23542300x80000000000000001536684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:13.143{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:14.800{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AB958F0F42F356469F94F3F5E36B81,SHA256=48743A52A2E389ADE37A0200CBABF61A546706F49F68D2D0954156E87BC26BCE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:14.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:14.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0324F9535B7AAB2269D5340A32A56441,SHA256=E590785B760EB8ECF807E7F432A06FD86CBD9ACCA3BFDC5F8ECBE4A5FEBEE389falsetrue 11241100x80000000000000005438702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:14.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:14.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9C3FAEEE73D23B9D68E3A695CC17223C,SHA256=2072911917BAA83452F38B4EED1D9C5929424163FCA6CD1CA26A9495E706E730falsetrue 11241100x80000000000000005438700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:14.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:14.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84998295DE9362694D2A9FCEE3EC853E,SHA256=5D642740770B0F05358A5637EE48B125F689BEBBD3E60AF7BA01C06B2FB737ABfalsetrue 23542300x80000000000000001536686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:14.130{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5AA24C9FE38ADD6EFEB8EFA5D56963C,SHA256=82A96FEB3EBC6C8FC8A1A90EA93DA1010D6E4A058F80874344BF58B9AC263A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:15.802{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39ADA1AC0B058D227122863062B2836,SHA256=87912A278C99AA62B0361042E2D6ECCB79277E3576D37858DC1A89C9349DF649,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005438711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:01.830{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63484-false10.0.1.12-8000- 11241100x80000000000000005438710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:15.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:15.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63C24E5EFE91C0C2AA01A95250773A95,SHA256=D672E1F85DC515A6B6E9048612D5137E7EA4FE79D6F7B865F14221EF9A64DC0Cfalsetrue 11241100x80000000000000005438708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:15.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005438707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:15.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:15.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F605518DA3AB4E8AD82C82DD7F2C3F0,SHA256=75349CEE92994FD686363378FAE8804B49000DB3639257E49C23582C23A28E65falsetrue 23542300x80000000000000005438705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:15.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1369B32631F4296B135F087FBEAEDD20,SHA256=37A4176A092DAE9038B19FDA8AB75187FDBFE425F0A5348B3663539B3D85CFEBfalsetrue 354300x80000000000000001536688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:07.781{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60713-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001536691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:16.804{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE394423D0451056D98684A2B31690BD,SHA256=52B908AA03FD8516FF1C2510F4CC724286C7C7DB116C25F98A62484EA33C999E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:16.219{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:16.219{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6E6319879CBB5114A98B402102CDD9,SHA256=C8B553F71EE4D660D510604B6F01FBA262A698A61BF75D429D9A07AEF74953AEfalsetrue 23542300x80000000000000001536690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:16.067{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0405E752CBC8CDD2D761F960584D9FA6,SHA256=4563F216519200E16964D84DA7FD17F5DDF1FA532C443F3804411E158966AD16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.887{AEE49BD1-FEA5-6138-66CE-00000000F101}2260596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001536709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.825{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FB5AAFB3BFF2ADB5488495E73B6290,SHA256=452F604D4A3B2A0503BCA4EF8A8AFC0521A220F7E1D7738820EDDC57778FB506,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:17.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:17.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B365F98D246CCACBAFA62415680DEA59,SHA256=8ADA4C1645D4D401AD6A443143B1726C056B7BC79F81E8D79E57DC24BBF7F210falsetrue 10341000x80000000000000001536708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.756{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FEA5-6138-66CE-00000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.756{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.756{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.756{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.756{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.756{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FEA5-6138-66CE-00000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.756{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FEA5-6138-66CE-00000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.741{AEE49BD1-FEA5-6138-66CE-00000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001536700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:09.702{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60714-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001536699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.054{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FEA5-6138-65CE-00000000F101}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.054{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.054{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.054{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.054{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.054{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FEA5-6138-65CE-00000000F101}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.054{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FEA5-6138-65CE-00000000F101}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:17.039{AEE49BD1-FEA5-6138-65CE-00000000F101}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4CEE68043C5ADB4FF666FEE82F6D57,SHA256=D6474343ADE824206634F0D4838EA373EE052545D655343BC7880FB9C6C472B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:18.251{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:18.251{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E4D12F4D3D3CF66F41E57255670DBA,SHA256=ABFF1BC44173DC666005B6A37579C714F2FD2E04FD63E81B801B1BF2D29C7398falsetrue 10341000x80000000000000001536719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.441{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FEA6-6138-67CE-00000000F101}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.441{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.441{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.441{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.441{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.441{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FEA6-6138-67CE-00000000F101}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.441{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FEA6-6138-67CE-00000000F101}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.426{AEE49BD1-FEA6-6138-67CE-00000000F101}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:18.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A86868D9F5A23123E4FF2F0F6207568,SHA256=39907BA13ADCD83A2920328472E11D2741000BB0ABE5EDE4849F5434858719AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:19.846{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BEDB2D75C5B043B07CA6343042D049,SHA256=DC8A9CA8069621521607171DBFAF3C0BAA5C97CB5B95538DD2CE68C54D5E5D1E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:19.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:19.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4548F4512752E6FC2FFCA129FE9C5274,SHA256=8C2F9FC64D7089C31BF0F8496DDAFACB2F7ED9D4E927FF9CEEA4DE7DBABAF2E6falsetrue 11241100x80000000000000005438721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:19.751{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:19.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11CA5845A046D1D79C600B1FB0CC7444,SHA256=3B9F8C068E02FCD04A9FDCAF913A01D36B62C213DA85B42F706E9E3534B24273falsetrue 11241100x80000000000000005438719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:19.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:19.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F3A34121F58BFC9987362E4197A958,SHA256=6730E75C934F37BC6DE94D1ECD4E172E44A59DFC323C0AAF759B508C876BBFC8falsetrue 23542300x80000000000000001536721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:19.460{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B768E30587FF530DC8D0151119E23183,SHA256=53EE2287D03F9737A524C147F33EA6883CB4335D51A22257C5F790ECDE0A70E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:20.849{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999781504402EB4E37EBF4CDA6A841BD,SHA256=81456F7B53764B718D3A051B261765CB3D26313B3E325E223EC570B03203B6C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005438731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005438730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7707E7B15E264773ACB60551F79294F7,SHA256=A2460C3E4D923BA59A2F892EBE20FFDA2089E527D0CF03C5E4BF7899F02689EBfalsetrue 11241100x80000000000000005438729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x80000000000000005438728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07256A59F340537B4FDD47DA4CA89658,SHA256=0144BE9081B496E61FAA9C64C24EC8A260DE3F66EE1DA92C87621A4A4DFAD6ECfalsetrue 23542300x80000000000000005438726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F654A9A1F3ADD78D1E5CDFAA230CAE39,SHA256=2628A21EF37D77301B5B083AB86774F2FAE945D91A8A937ECA148741B68F831Efalsetrue 11241100x80000000000000005438725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:20.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A41F428F28F84DD1C0468D1C6C073B8B,SHA256=9835D526E289016085C24F1B4FD84C91F917D37E5362447223DA824454B7AE58falsetrue 23542300x80000000000000001536724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:21.852{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0E63DA54950E2354FB2AB5FBF4282D,SHA256=1DB489BA3321B596E401DB7ED6D84AA5181D71B74A4EF31AD3D022BCC37982B6,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005438790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.469{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.469{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005438788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.469{4DF467A6-FEA9-6138-6CD4-00000000F001}69286640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.469{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.469{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005438785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.360{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005438748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005438743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.344{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.329{4DF467A6-FEA9-6138-6CD4-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:21.329{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:21.329{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:21.329{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:21.329{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:21.329{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:21.329{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005438734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.297{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:21.297{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721375C1A174009470B4E634110B61A6,SHA256=0C72E5DB84C4A22DD3FF4743B68D05E1F4555CCB8B23A732CF6C0A59D80E2B49falsetrue 354300x80000000000000005438732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:06.861{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63485-false10.0.1.12-8000- 23542300x80000000000000001536726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:22.870{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043415A2460CD477CB24F311BE598216,SHA256=7AD26626AD561A76D2E43F1C0DB2F1B23FFDA03B7DD578EC155DE8F564F196C0,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005438915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.845{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.845{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005438913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.845{4DF467A6-FEAA-6138-6ED4-00000000F001}34007744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.845{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.845{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000005438910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.832{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7186MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005438909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.831{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71862021-09-08 18:19:22.830 11241100x80000000000000005438908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.830{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71872021-09-08 18:19:22.830 734700x80000000000000005438907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005438901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005438870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.720{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005438865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.705{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.705{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.705{4DF467A6-FEAA-6138-6ED4-00000000F001}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.705{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:22.705{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.705{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:22.705{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.705{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:22.705{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005438856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07256A59F340537B4FDD47DA4CA89658,SHA256=0144BE9081B496E61FAA9C64C24EC8A260DE3F66EE1DA92C87621A4A4DFAD6ECfalsetrue 11241100x80000000000000005438854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0FEEEE6CF1B3B9F5601804357F6086,SHA256=4CB2CC4ED2101675C620B0AD686EB28A3D2F3B1B0625E3E4C5D14BD1D6E3C178falsetrue 11241100x80000000000000005438852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920EAB37B537221820D18758593E03C3,SHA256=4F3CD20B6CA8D02E13811BB810196776808FF4E5C9EF3C07EB56628ACACC7833falsetrue 23542300x80000000000000001536725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:22.052{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FDE6206AAD2DF7D8A1AFECF5C5FCE78,SHA256=36EE3CBD1EB9822849E4251C4642C6AC5B73BD387BB33E928AFB39813848E57D,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005438850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.157{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005438849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.157{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005438848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.157{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.157{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005438846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.047{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.047{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.047{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.047{4DF467A6-FEAA-6138-6DD4-00000000F001}6960\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005438842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.047{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005438840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005438835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005438814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005438812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005438810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005438809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005438808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005438807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005438804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005438799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.032{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.017{4DF467A6-FEAA-6138-6DD4-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.016{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:22.016{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.016{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:22.016{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:22.016{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:22.016{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:23.874{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBA93320D3E60611295BF610A46F691,SHA256=4B5E680BC771429F54C10D733D3F47AFF76988D0DE09273A2943F6B0AB04613D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:15.703{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60715-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005438976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005438975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8FB4738DC770875AAF5B6D4F8E37E07,SHA256=E6ABBAAFE1E2FC2EF33A4AA4EA20FA773720F37CCA3FA662069AF456DEB80F48falsetrue 23542300x80000000000000005438974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.845{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7187MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 534500x80000000000000005438973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.532{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005438972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.532{4DF467A6-FEAB-6138-6FD4-00000000F001}43004396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.532{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005438970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.532{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005438969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005438968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB44AB56536A078FA9CABAAFE5903D57,SHA256=CDFC02138F0B1BCE31720B8AA5A868EEED245851DC2532AA9A0F5C78E019C93Dfalsetrue 734700x80000000000000005438967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.423{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005438966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.423{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005438965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.423{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005438964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:23.423{4DF467A6-FEAB-6138-6FD4-00000000F001}4300\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005438963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.423{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005438962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005438961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005438960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005438959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005438958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005438957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005438956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005438955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005438954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005438953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005438952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005438951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005438950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005438949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005438948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005438943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005438941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005438940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005438939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005438937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005438934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005438933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005438932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005438931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005438930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005438929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005438924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.407{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:23.392{4DF467A6-FEAB-6138-6FD4-00000000F001}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:23.392{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:23.392{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:23.392{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:23.392{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:23.392{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:23.392{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:24.892{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36677131E93B1BEF3839D143E109444D,SHA256=D6F670B997EF6010DC7EFA279F3091C22C6194A817CCB3BE16D809394D9EB8FE,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005439113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.814{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005439112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.814{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005439111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.814{4DF467A6-FEAC-6138-71D4-00000000F001}75767116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005439110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.798{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005439109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.798{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005439108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005439107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005439106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005439105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005439104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005439103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005439102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005439101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005439100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005439099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005439098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005439097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005439096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005439095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005439094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.689{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005439093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005439092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005439091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005439090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005439089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005439088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005439087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005439086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005439085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005439084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005439083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005439082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005439081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005439080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005439079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005439078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005439077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005439076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005439075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005439074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005439073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005439072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005439071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005439070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005439069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005439068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005439067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005439066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005439065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005439064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.673{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005439063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.669{4DF467A6-FEAC-6138-71D4-00000000F001}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005439062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.658{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005439061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:24.658{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005439060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.658{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005439059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:24.658{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005439058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.658{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005439057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:24.658{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005439056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5103E0BBBBBC98C80454939769EC310,SHA256=FF2221A5FDB228317E6059DE9C993FFB41531AAE2242E1023C1CD8EF8ECD4EF8falsetrue 10341000x80000000000000005439054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}12487460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005439053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}12487460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005439052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005439039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:24.580{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 11241100x80000000000000005439038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD3057D11B8332B2E5A2DB26C78AFC21,SHA256=95F86B55032A413B9DF1EB5A7FB1C237B51B40F008867C1E344472685BB29E16falsetrue 11241100x80000000000000005439036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5872BA9C5533346BE74E238DE7A5CBF5,SHA256=486EB5C91ECE039E061AEBA6CE49A17A022CE5D4415A79775F99AF303E47F47Bfalsetrue 534500x80000000000000005439034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.217{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005439033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.217{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005439032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.217{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005439031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.217{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005439030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3AEAD8EF996049161653A914490188,SHA256=E82FF93F88820BA8B4747691092257E50959633E17B92189176D9D3EF640CC63falsetrue 734700x80000000000000005439028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.108{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005439027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.108{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005439026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005439025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005439024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005439023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005439022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005439021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005439020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005439019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005439018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005439017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005439016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005439015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005439014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005439013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005439012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005439011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005439010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005439009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005439008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005439007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005439006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005439005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005439004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005439003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005439002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005439001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005439000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005438999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005438998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005438997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005438996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005438995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005438994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005438993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005438992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005438991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005438990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005438989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005438988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005438987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005438986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005438985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005438984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.092{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005438983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:24.077{4DF467A6-FEAC-6138-70D4-00000000F001}7392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005438982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:24.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:24.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005438978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:24.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005438977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:24.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001536730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:25.895{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B00E9E87CE5D48B0ADA5B6A3C97285F,SHA256=242C7FD49C11322B168762D94D07F9826A3A3455BF498F8C5F8298E6D06BDC66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.580{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.580{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4927307261880DD6BA80E69741F43DE,SHA256=A06121AE04D1879C28838FF7397402CC7A5ECA3607E059EC22D4D7874E04EC69falsetrue 11241100x80000000000000005439175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=488C836A0B95BDEB63E28F11AEA37F1C,SHA256=F605BEB7B984A8CC50FE6B7B10EDDA7EEB252903223A0FFB2A7581880EE42C16falsetrue 534500x80000000000000005439173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.423{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005439172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.423{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005439171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.423{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005439170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.423{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005439169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62FC329AF417A04EEAF353A0434C203,SHA256=8A1CD9A9842221CCA2C0221DB8236BF1B0ADDCA36567ED416D2816F3C1129BB3falsetrue 734700x80000000000000005439167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.314{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005439166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.314{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005439165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.314{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005439164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:25.314{4DF467A6-FEAD-6138-72D4-00000000F001}7000\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005439163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.314{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005439162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005439161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005439160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005439159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005439158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005439157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005439156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005439155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005439154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005439153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005439152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005439151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005439150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005439149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005439148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005439147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005439146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005439145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005439144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005439143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005439142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005439141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005439140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005439139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005439138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005439137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005439136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005439135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005439134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005439133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005439132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005439131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005439130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005439129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005439128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005439127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005439126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005439125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005439124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005439123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.298{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005439122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.284{4DF467A6-FEAD-6138-72D4-00000000F001}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005439121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:25.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005439120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:25.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005439119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:25.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005439118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:25.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005439117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:25.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005439116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:19:25.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005439115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005439114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:25.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E6AF33042B94A6B4461FEBA7781326E,SHA256=98E20B9A8E7AA6785C5B4163888F02EF14E3754071AEAE945D006420D3FB60DFfalsetrue 23542300x80000000000000001536731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:26.913{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309CA1A6986DB96E21A07E834EF69B2,SHA256=90B4F8ACE382314B2BC1B59608C35F8F6005713BDAD6CE56D16C30566687E1E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:26.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:26.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1223CFD28B331D693AF2D45E124D6ACB,SHA256=BE1918EC3EE3982C1908BF5E0343EC2550CA70351AC00B1AC5629235762319AAfalsetrue 11241100x80000000000000005439179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:26.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005439178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:26.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80408BDF59A9B7A7ED7FFCA02134C96C,SHA256=F859CC46B93FBCE8AF3FB1D6C5429195CA89CDAE4B3B2D73E6FB7D1EA39DAB0Efalsetrue 23542300x80000000000000001536734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:27.915{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA57B81844923394940E3A3491F964E,SHA256=C420E00BAC4C469E34FCD35C3BEC3F032274AAECFD2F6C6D6C41C544A0D6F742,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:27.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:27.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BA2E0B8A96594A4D793A16E035FC44,SHA256=0E9C0E74DA48A1291708F515A0B9E9B8E05B589BB6666081E8E1105915BC7434falsetrue 23542300x80000000000000001536733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:27.133{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=875BD5F82BDAD1E81689CE2B2A5E1C2B,SHA256=76A3A9C2ABEED25C10E318B554FFB7EE8E96AB061491422CF2980B53441DA613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:27.132{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0DA772A51CAB616EA54B8F1CFC5EF20,SHA256=5B004DBF60458582AF5390CB59619B046A84E3C2866C65F3764B11EE726BECAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005439186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:12.722{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63486-false10.0.1.12-8000- 11241100x80000000000000005439185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:27.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005439184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:27.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B2C45ED9D16A431B022313C347A00E20,SHA256=E9CC2209EFC71FBFB93E08F7C6EAC49E9D6082C41517CFB992E232E25B3AE807falsetrue 11241100x80000000000000005439183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:27.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005439182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:27.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1726C7D66D483EF6DF4FFCFD8242A279,SHA256=B5C6D0F5C91B27B3D998639F30608A53E97898742189C71571BB90AFB12CACADfalsetrue 23542300x80000000000000001536736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:28.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F381EDD3F5117ADE52202D4373DAFA,SHA256=98F3AB6134ACF65E907EB2BC9379C8DE1F78F0387FA18F35A73B4890D9D629AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:28.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:28.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6177554F0D8ED7D0C089015C4E9ABF05,SHA256=223638D3B7C228A1859956C21B1073995FF351FA85373A24601DE8E1CBE5FF54falsetrue 354300x80000000000000001536735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:20.764{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60716-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005439190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:28.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005439189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:28.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8205379BF5734C736297931E8CF77E0,SHA256=CBC44BD0F6EF8B5F752CBFBAB3E453E661A45957DED17942B53B456292F9D1AEfalsetrue 23542300x80000000000000001536737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:29.943{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DBA9A34D8E38973670EE2F875613FF,SHA256=D9847F5AD1AB85D9C19E79BA6063610B171E4AD3E9FFF6A22E71D27D638D3B25,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005439199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:19:29.989{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475Binary Data 11241100x80000000000000005439198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:29.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:29.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C4DEB04E36B3455E86353E82523D60E1,SHA256=47F64FC3C525FBFB21F7799D9C745B1B2BD615DE8A023E72FAA592405A337B9Bfalsetrue 11241100x80000000000000005439196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:29.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:29.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D860EB10F716E0B6BEE0AA63C9D71F,SHA256=938A4EF0C8B8C7A2B6C7E9955C62584A483C502206A835BB4323FFA85F549BEBfalsetrue 18141800x80000000000000005439194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:19:29.505{4DF467A6-3F58-6132-2A00-00000000F001}2924\wkssvcC:\Windows\system32\dfssvc.exe 10341000x80000000000000005439193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:29.505{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001536738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:30.976{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E5C77F1DB11B4BB1685E1F7E40F1BB,SHA256=162696BF42365097C46995FE8E2A1389658C0F790F147DB94436B9F318D4AB91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FD74C005C0213CE168B5C517AD3C94,SHA256=77CE564CEC476202199F6A20F39A2246FF6EC2516E4D1ECE60BC280CFCCCB299falsetrue 11241100x80000000000000005439207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005439206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84D22879A166CE679B61906F16E4691B,SHA256=6A0874C420377DB9C17A98A64F2DCD93BF6A915D74E981A8554C58C4232BAFFCfalsetrue 11241100x80000000000000005439205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D765FCE5B47FE1AA93166B2AF543F327,SHA256=D1BA9B23D504F65A75793E14521016BF3CECE03041EBF021D0B432F5A5EA689Dfalsetrue 11241100x80000000000000005439203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.317{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005439202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.317{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7E353DFEEF1B224656719574D1E6D4F7,SHA256=74B670044DD965E5226A615817963EB035E3CFC0B1CA3D6B971F46538288BDB8falsetrue 11241100x80000000000000005439201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:30.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3E9F1B4CDAD36EC7915FAC1387471F1,SHA256=E8D2116971E4DA95FCEA20296088F91283C5C58B92CD6CA8F76F7C9B7A501C1Bfalsetrue 23542300x80000000000000001536739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:31.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF4E867958DB79E3A5DD8CAFA54400A,SHA256=544F210927668D1755A545BA2AE8EB47ACBF515D19AD99EFBEB9F87A470E5AAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005439212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:17.724{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63488-false10.0.1.12-8000- 354300x80000000000000005439211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:17.147{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63487-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005439210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:17.147{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63487-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 10341000x80000000000000001536750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.581{AEE49BD1-FEB4-6138-68CE-00000000F101}46201508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.449{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FEB4-6138-68CE-00000000F101}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.449{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.449{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.449{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.449{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.449{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FEB4-6138-68CE-00000000F101}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.449{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FEB4-6138-68CE-00000000F101}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.446{AEE49BD1-FEB4-6138-68CE-00000000F101}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.180{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F3D9A88BCAB88B88446E3A81D2043A8,SHA256=BDDD81AFDDC5B005867F40E6C630C164A42C42986AEA99F4239310B63499ADD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:32.180{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=875BD5F82BDAD1E81689CE2B2A5E1C2B,SHA256=76A3A9C2ABEED25C10E318B554FFB7EE8E96AB061491422CF2980B53441DA613,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005439228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005439227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005439226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005439225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005439224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005439223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005439222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005439221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005439220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005439219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005439218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005439217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005439216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005439215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:19:32.426{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000005439214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:32.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:32.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BA5DEDF647B23A2E9F30EE9E208EA4,SHA256=781074D2017979DA08B2EBECC2F782CEE315DB324981C810AEC755A64B788C5Cfalsetrue 11241100x80000000000000005439230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:33.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:33.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C51830C4BB505626FFBAE34C30B51D4,SHA256=015342946B4398334C34C96BF91919BCFB22267A730AB7D6213D324F5C10F2AAfalsetrue 10341000x80000000000000001536771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.852{AEE49BD1-FEB5-6138-6ACE-00000000F101}40525888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.731{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FEB5-6138-6ACE-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.731{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.731{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.731{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.731{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.731{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FEB5-6138-6ACE-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.731{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FEB5-6138-6ACE-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.716{AEE49BD1-FEB5-6138-6ACE-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.599{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F3D9A88BCAB88B88446E3A81D2043A8,SHA256=BDDD81AFDDC5B005867F40E6C630C164A42C42986AEA99F4239310B63499ADD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001536761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:25.777{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60717-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001536760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.251{AEE49BD1-FEB5-6138-69CE-00000000F101}7725740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.129{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FEB5-6138-69CE-00000000F101}772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.129{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.129{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.129{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.129{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001536754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.129{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FEB5-6138-69CE-00000000F101}772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001536753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.129{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FEB5-6138-69CE-00000000F101}772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001536752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.114{AEE49BD1-FEB5-6138-69CE-00000000F101}772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001536751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:33.013{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F8F6B11FD5BE885CF61D737BF01501,SHA256=C8E045D328C89C062C4F3A8ED6C1136C7502AF1C13A4C6AAC9E2572FE02AC534,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:34.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:34.770{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6D32F2F5A6E9DBA9F688DACB76EF091,SHA256=FAD070E52698E3A4F3E3DA2132DDEE31DC67D765D1F468CB78EABC11458D36BEfalsetrue 11241100x80000000000000005439234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:34.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:34.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4D55A0CFD3041D480D90D4DEA6AE08D,SHA256=C436D42144E38535EF35C42BA20FBE6DC2CB9CC7E2D7B817B1BA705FAA867EFDfalsetrue 11241100x80000000000000005439232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:34.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:34.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FEB6980DE805F2BC202AAA9E7E6816,SHA256=53F325897EFE74C6F79AA822ABCC150C891085CFD2FFEC4B1DE020437D69A348falsetrue 23542300x80000000000000001536773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:34.732{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13FC31D7AB17C54F89B6DF3E70BF1D12,SHA256=E885C95E4D5F0461EC24A92A28E82C155AD435DB2F283C9D4C72945D9B53B87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:34.052{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC328BB05AF0B97388F042F76CA2DB9,SHA256=54B738D7916E423952D64B1B6A1758957B7495C42CD7399E008B60BF23F1FEFE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:35.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005439239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:35.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DE669B333CD8FF96A7D2355D2BD20131,SHA256=FABD0EE02CED7920781EC204890B169874A9F0AECF426BE4F03AF5F18B5C5036falsetrue 11241100x80000000000000005439238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:35.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:35.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A03149EFCF70F6DA1BC98F772396331,SHA256=C1FFCF0089F30533AA8347F7DE657A0CC92EAC25B64383EDD98CA4D5A21DE2DCfalsetrue 23542300x80000000000000001536774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:35.054{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5835C0AC782D70EDFE250AA9E5E5CED,SHA256=5DCE000A0E68F77F85B76FB626533FDB4F1AC0A53471199A001FAE0AD3865E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005439247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:22.786{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63489-false10.0.1.12-8000- 11241100x80000000000000005439246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005439245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE5C2195006680FBA1B537E208FA9D80,SHA256=268621C4C72F51439172F2D939FEE529C0A938D670600A1798CC808DB7DD0A00falsetrue 11241100x80000000000000005439244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005439243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FD2DB53AA6DFCF66D7C01F006B76E61,SHA256=989C5A07490B3724F79314BE67B2E8BBC3029AEAD314E5DE49C1F369F827CFD4falsetrue 11241100x80000000000000005439242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:36.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:36.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D267D3B77B0097E7F13838FFE8681924,SHA256=1779D8BD0DB26B491030A08CCEE10221A11EFE13197047406ECF1DF4C897B967falsetrue 23542300x80000000000000001536775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:36.088{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118DF73C660ACA01BAE16626BA158037,SHA256=F601BE7ECA2FF9E55056A92F9752A66313009A4DA831A8F3EDEB96B6319835F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:37.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:37.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309F4D613C2D66AFA95D6D6F00BBB178,SHA256=9BE25C7A9FCC1FAC8968634723EA959938796093D45224F98455E68CBA4B1EE7falsetrue 354300x80000000000000001536778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:30.826{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60718-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001536777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:37.191{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F23A12416623320F72A0C696013D1395,SHA256=87B6253852F5089A031995BA91FC514BD3C6FBAE1D35F0FCA46459AFBB4A2572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:37.091{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41ECE094940A7F0833DC852F4571B742,SHA256=61B77798F3A3577BDA3529C8D958499D4A31C9A3D4E6439A7726A66D16CF3F8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005439251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:38.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005439250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:19:38.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE0ECC8A47F3282D26AA7CF9D0CB0EE,SHA256=2422B7EB768AE7669ADAC9B37F011C69DADA6547B0582E45BD02B9053426BDAFfalsetrue 23542300x80000000000000001536779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:38.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAA8E22A882DC0229A3E2128CC4CF72,SHA256=C31283F359483334E07387145524CE75EE2C6EBE61901ED1FD5BF83E83B83D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:39.215{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7177MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001536780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:19:39.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534BF5CF344DA28B092F2424973D111A,SHA256=A40364BE20CA27331EA81B68CB1D521D55931B4098E95420FFADA7A2482E8993,IMPHASH=00000000000000000000000000000000falsetrue